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^ ■ Abstract 

C\J ' Artifact systems are a novel paradigm for specifying and implementing business processes 

described in terms of interacting modules called artifacts. Artifacts consist of data and lifecy- 

! ! cles, accounting respectively for the relational structure of the artifacts' states and their possible 

, evolutions over time. In this paper we put forward artifact- centric multi-agent systems, a novel for- 

malisation of artifact systems in the context of multi-agent systems operating on them. Differently 
from the usual process-based models of services, the semantics we give explicitly accounts for the 
C/3 ' data structures on which artifact systems are defined. 

i ^ i ■ We study the model checking problem for artifact-centric multi-agent systems against speci- 

fications written in a quantified version of temporal-epistemic logic expressing the knowledge of 
the agents in the exchange. We begin by noting that the problem is undecidable in general. We 
then identify two noteworthy restrictions, one syntactical and one semantical, that enable us to find 

■ bisimilar finite abstractions and therefore reduce the model checking problem to the instance on fi- 

nite models. Under these assumptions we show that the model checking problem for these systems 
is EXPSPACE-complete. We then introduce artifact-centric programs, compact and declarative 

' representations of the programs governing both the artifact system and the agents. We show that, 

while these in principle generate infinite-state systems, under natural conditions their verification 
problem can be solved on finite abstractions that can be effectively computed from the programs. 
Finally we exemplify the theoretical results of the paper through a mainstream procurement sce- 
J> ' nario from the artifact systems literature. 

X 



1. Introduction 



Much of the work in the area of reasoning about knowledge involves the development of formal 
techniques for the representation of epistemic properties of rational actors, or agents, in a multi- 
agent system (MAS). The approaches based on modal logic are often rooted on interpreted sys- 
tems (Parikh & Ramanujam, 1985), a computationally grounded semantics (Wooldridge, 2000) used 
for the interpretation of several temporal-epistemic logics. This line of research was thoroughly ex- 
plored in the 1990s leading to a significant body of work (Fagin, Halpern, Moses, & Vardi, 1995). 
Further significant explorations have been conducted since then; a recent topic of interest has fo- 
cused on the development of automatic techniques, including model checking (Clarke, Grumberg, & 
Peled, 1999), for the verification of temporal-epistemic specifications for the autonomous agents in 
a MAS (Gammie & van der Meyden, 2004; Kacprzak, Nabialek, Niewiadomski, Penczek, Polrola, 
Szreter, Wozna, & Zbrzezny, 2008; Lomuscio, Qu, & Raimondi, 2009). This has led to develop- 
ments in a number of areas traditionally outside artificial intelligence, knowledge representation 
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and MAS, including security (Dechesne & Wang, 2010; Ciobaca, Delaune, & Kremer, 2012), web- 
services (Lomuscio, Solanki, Penczek, & Szreter, 2010) and cache-coherence protocols in hardware 
design (Baukus & van der Meyden, 2004). The ambition of the present paper is to offer a simi- 
lar change of perspective in the area of artifact systems (Cohn & Hull, 2009), a growing topic in 
Service-Oriented Computing (SOC). 

Artifacts are structures that "combine data and process in an holistic manner as the basic building 
block[s]" (Cohn & Hull, 2009) of systems' descriptions. Artifact systems are services constituted by 
complex workflow schemes based on artifacts which the agents interact with. The data component 
is given by the relational databases underpinning the artifacts in a system, whereas the workflows 
are described by "lifecycles" associated with each artifact schema. While in the standard services 
paradigm services are made public by exposing their processes interface, in artifact systems both 
the data structures and the lifecycles are advertised. Services are composed in a "hub" where op- 
erations on the artifacts are executed. Implementations of artifact systems, such as the IBM engine 
Barcelona (Heath, Hull, & Vaculm, 2011), provide a hub where the service choreography and 
service orchestratation (Alonso, Casati, Kuno, & Machiraju, 2004) are carried out. 

While artifact systems are beginning to drive new application areas, such as case management 
systems (Marin, Hull, & Vaculm, 2012), we identify two shortcomings in the present state-of-the- 
art. Firstly, the artifact systems literature (Bhattacharya, Gerede, Hull, Liu, & Su, 2007; Deutsch, 
Hull, Patrizi, & Vianu, 2009; Hull, 2008; Nooijen, Fahland, & Dongen, 2012) focuses exclusively 
on the artifacts themselves. While there is obviously a need to model and implement the artifact 
infrastructure, importantly we also need to account for the agents implementing the services acting 
on the artifact system. This is of particular relevance given that artifact systems are envisaged to play 
a leading role in information systems. We need to be able to reason not just about the artifact states 
but also about what actions specific participants are allowed and not allowed to do, what knowledge 
they can or cannot derive in a system run, what system state they can achieve in coordination with 
their peers, etc. In other words, we need to move from the description of the artifact infrastructure 
to one that encompasses both the agents and the infrastructure. 

Secondly, there is a pressing demand to provide the hub with automatic choreography and or- 
chestration capabilities. It is well-known that choreography techniques can be leveraged on auto- 
matic model checking techniques; orchestration can be recast as a synthesis problem, which, in 
turn, can also benefit from model checking technology. However, while model checking and its 
applications are relatively well-understood in the plain process-based modelling, the presence of 
data makes these problems much harder and virtually unexplored. Additionally, infinite domains 
in the underlying databases lead to infinite state-spaces and undecidability of the model checking 
problem. 

The aim of this paper is to make a concerted contribution to both problems above. Firstly, 
we provide a computationally grounded semantics to systems comprising the artifact infrastructure 
and the agents operating on it. We use this semantics to interpret a temporal-epistemic language 
with first-order quantifiers to reason about the evolution of the hub as well as the knowledge of the 
agents in the presence of evolving, structured data. We observe that the model checking problem 
for these structures is undecidable in general and analyse two notable decidable fragments. In this 
context, a contribution we make is to provide finite abstractions to infinite-state artifact systems, 
thereby presenting a technique for their effective verification for a class of declarative agent-based, 
artifact-centric programs that we here define. We evaluate this methodology by studying its compu- 
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tational complexity and by demonstrating its use on a well-known scenario from the artifact systems 
literature. 

1.1 Artifact-Centric Systems 

Service-oriented computing is concerned with the study and development of distributed applica- 
tions that can be automatically discovered and composed by means of remote interfaces. A point of 
distinction over more traditional distributed systems is the interoperability and connectedness of ser- 
vices and the shared format for both data and remote procedure calls. Two technology-independent 
concepts permeate the service-oriented literature: orchestration and choreography (Alonso et al., 
2004; Singh & Huhns, 2005). Orchestration involves the ordering of actions of possibly different 
services, facilitated by a controller or orchestrator, to achieve a certain overall goal. Choreogra- 
phy concerns the distributed coordination of different actions through publicly observable events to 
achieve a certain goal. A MAS perspective (Wooldridge, 2001) is known to be particularly helpful 
in service-oriented computing in that it allows us to ascribe information states and private or com- 
mon goals to the various services. Under this view the agents of the system implement the services 
and interact with one another in a shared infrastructure or environment. 

A key theoretical problem in SOC is to devise effective mechanisms to verify that service com- 
position is correct according to some specification. Techniques based on model checking (Clarke 
et al., 1999) and synthesis (Berardi, Cheikh, Giacomo, & Patrizi, 2008) have been put forward 
to solve the composition and orchestration problem for services described and advertised at inter- 
face level through finite state machines (Calvanese, Giacomo, Lenzerini, Mecella, & Patrizi, 2008). 
More recently, attention has turned to services described by languages such as WS-BPEL (Alves 
et al., 2007), which provide potentially unbounded variables in the description of the service pro- 
cess. Again, model checking approaches have successfully been used to verify complex service 
compositions (Bertoli, Pistore, & Traverso, 2010; Lomuscio, Qu, & Solanki, 2012). 

While WS-BPEL provides a model for services with variables, the data referenced by them is 
non-permanent. The area of data-centric workflows (Hull, Narendra, & Nigam, 2009; Nigam & 
Caswell, 2003) evolved as an attempt to provide support for permanent data, typically present in 
the form of underlying databases. Although usually abstracted away, permanent data is of central 
importance to services, which typically query data sources and are driven by the answers they 
obtain; see, e.g., (Berardi, Calvanese, Giacomo, Hull, & Mecella, 2005). Therefore, a faithful model 
of a service behavior cannot, in general, disregard this component. In response to this, proposals 
have been made in the workflows and service communities in terms of declarative specifications 
of data-centric services that are advertised for automatic discovery and composition. The artifact- 
centric approach (Cohn & Hull, 2009) is now one of the leading emerging paradigms in the area. As 
described in (Hull, 2008; Hull, Damaggio, De Masellis, Fournier, Gupta, Heath, Hobson, Linehan, 
Maradugu, Nigam, Sukaviriya, & Vaculin, 2011) artifact-centric systems can be presented along 
four dimensions. 

Artifacts are the holders of all structured information available in the system. In a business- 
oriented scenario this may include purchase orders, invoices, payment records, etc. Artifacts may 
be created, amended, and destroyed at run time; however, abstract artifact schemas are provided 
at design time to define the structure of all artifacts to be manipulated in the system. Intuitively, 
external events cause changes in the system, including in the value of artifact attributes. 
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The evolution of artifacts is governed by lifecycles. These capture the changes that an artifact 
may go through from creation to deletion. Intuitively, a purchase order may be created, amended 
and operated on by several events before it is fullfilled and its existence in the system terminated: a 
lifecycle associated with a purchase order artifact formalises these transitions. 

Services are seen as the actors operating on the artifact system. They represent both human and 
software actors, possibly distributed, that generate events on the artifact system. Some services may 
"own" artifacts, and some artifacts may be shared by several services. However, not all artifacts, or 
parts of artifacts, are visible to all services. Views and windows respectively determine which parts 
of artifacts and which artifact instances are visible to which service. An artifact hub is a system that 
maintains the artifact system and processes the events generated by the services. 

Services generate events on the artifact system according to associations. Typically these are 
declarative descriptions providing the precondition and postconditions for the generation of events. 
These generate changes in the artifact system according to the artifact lifecycles. Since events may 
trigger changes in several artifacts in the system, events are processed by a well-defined seman- 
tics (Damaggio, Hull, & Vaculm, 2011; Hull et al., 2011) that governs the sequence of changes 
an artifact-system may undertake upon consumption of an event. Such a semantics, based on the 
use of Prerequisite-Antecedent-Consequent (PAC) rules, ensures acyclicity and full determinism 
in the updates on the artifact system. GSM is a declarative language that can be used to describe 
artifact systems. BARCELONA is an engine that can be used to run a GSM-based artifact-centric 
system (Heath et al., 2011). 

The above is a partial and incomplete description of the artifact paradigm. We refer to (Cohn 
& Hull, 2009; Hull, 2008; Hull et al., 2011) for more details. 

As it will be clear in the next section, in line with the agent-based approach to services, we will 
use agent-based concepts to model services. The artifact-system will be represented as an environ- 
ment, constituted by evolving databases, upon which the agents operate; lifecycles and associations 
will be modelled by local and global transition functions. The model is intended to incorporate all 
artifact-related concepts including views and windows. 

In view of the above in this paper we address the following questions. How can we give a 
transition-based semantics for artifacts and agents operating on them? What syntax should we use 
to specify properties of the agents and the artifacts themselves? Can we verify that an artifact system 
satisfies certain properties? As this will be shown to be undecidable, can we find suitable fragments 
on which this can actually be carried out? If so, what is the resulting complexity? Lastly, can we 
provide declarative specifications for the agent programs so that these can be verified by model 
checking? Can this technique be used on mainstream scenarios from the SOC literature? 

This paper intends to contribute answering these questions. 

1.2 Related Work 

As stated above, virtually all current literature on artifact-centric systems focuses on properties and 
implementations of the artifact-system as such. Little or no attention is given to the actors on the 
system, whether they are human or artificial agents. A few formal techniques have, however, been 
put forward to verify the core, non-agent aspects of the system; in the following we briefly compare 
these to this contribution. 

To our knowledge the verification of artifact-centric business processes was first discussed 
in (Bhattacharya et al, 2007), where reachability and deadlocks are phrased in the context of 
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artifact-centric systems and complexity results for the verification problem are given. The present 
contribution differs markedly from (Bhattacharya et al., 2007) by employing a more expressive 
specification language, even if the agent-related aspects are not considered, and by putting forward 
effective abstraction procedures for verification. 

In (Gerede & Su, 2007) a verification technique for artifact-centric systems against a variant of 
computation-tree logic is put forward. The decidability of the verification problem is proven for the 
language considered under the assumption that the interpretation domain is bounded. Decidability 
is also shown for the unbounded case by making restrictions on the values that quantified variables 
can range over. In the work here presented we also work on unbounded domains, but do not require 
the restrictions present in (Gerede & Su, 2007): we only insist on the fact that the number of distinct 
values in the system does not exceed a given threshold at any point in any run. Most importantly, the 
interplay between quantification and modalities here considered allows us to bind and use variables 
in different states. This is a major difference as this feature is very expressive and known to lead to 
undecidability. 

A related line of research is followed in (Deutsch et al, 2009; Damaggio, Deutsch, & Vianu, 
2012), where the verification problem for artifact systems against two variants of first-order linear- 
time temporal logic is considered. Decidability of the verification problem is retained by imposing 
syntactic restrictions on both the system descriptions and the specifications to check. This effec- 
tively limits the way in which new values introduced at every computational step can be used by the 
system. Properties based on arithmetic operators are considered in (Damaggio et al., 2012). While 
there are elements of similarity between these approaches and the one we put forward here, includ- 
ing the fact that the concrete interpretation domain is replaced by an abstract one, the contribution 
here presented has significant differences from these. Firstly, our setting is branching-time and not 
linear-time thereby resulting in different expressive power. Secondly, differently from (Deutsch 
et al., 2009; Damaggio et al., 2012), we impose no constraints on nested quantifiers. In contrast, 
(Damaggio et al., 2012) admits only universal quantification over combinations of quantifier-free 
first-order formulas. Thirdly, the abstraction results we present here are given in general terms on 
the semantics of declarative programs and do not depend on a particular presentation of the system. 

More closely related to the present contribution is (Hariri, Calvanese, Giacomo, Deutsch, & 
Montali, 2012), where conditions for the decidability of the model checking problem for data- 
centric dynamic systems, e.g., dynamic systems with relational states, are given. In this case the 
specification language used is a first-order version of the ^-calculus. While our temporal fragment 
is subsumed by the /i-calculus, since we use indexed epistemic modalities as well as a common 
knowledge operator, the two specification languages have different expressive power. To retain 
decidability, like we do here, the authors assume a constraint on the size of the states. However, 
differently from the contribution here presented, (Hariri et al, 2012) assume limited forms of quan- 
tification whereby only individuals persisting in the system evolution can be quantified over. In this 
contribution we do not make this restriction. 

Irrespective of what above, the most important feature that characterises our work is that the 
set-up is entirely based on epistemic logic and multi-agent systems. We use agents to represent 
the autonomous services operating in the system and agent-based concepts play a key role in the 
modelling, the specifications, and the verification techniques put forward. Differently from all ap- 
proaches presented above we are not only concerned with whether the artifact-system meets a par- 
ticular specification. Instead, we also wish to consider what knowledge the agents in the system 
acquire by interacting among themselves and with the artifact-system during a system run. Ad- 
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ditionally, the abstraction methodology put forward is modular with respect to the agents in the 
system. These features enable us to give constructive procedures for the generation of finite abstrac- 
tions for artifact-centric programs associated with infinite models. We are not aware of any work in 
the literature tackling any of these aspects. 

Relation to previous work by the authors. This paper combines and expands preliminary 
results originally discussed in (Belardinelli, Lomuscio, & Patrizi, 2011a), (Belardinelli, Lomuscio, 
& Patrizi, 2011b), (Belardinelli, Lomuscio, & Patrizi, 2012a), and (Belardinelli, Lomuscio, & Pa- 
trizi, 2012b). In particular, the technical set up of artifacts and agents is different from that of our 
preliminary studies and makes it more natural to express artifact-centric concepts such as views. 
Differently from our previous attempts we here incorporate an operator for common knowledge and 
provide constructive methods to define abstractions for all notions of bisimulation. We also con- 
sider the complexity of the verification problem, previously unexplored, and evaluate the technique 
in detail on a case study. 

1.3 Scheme of the Paper 

The rest of the paper is organised as follows. In Section 2 we introduce Artifact-centric Multi- 
Agent Systems (ACMAS), the semantics we will be using throughout the paper to describe agents 
operating on an artifact system. In the same section we put forward FO-CTLK, a first-order logic 
with knowledge and time to reason about the evolution of the knowledge of the agents and the 
artifact system. This enables us to propose a satisfaction relation based on the notion of bounded 
quantification, define the model checking problem, and highlight some properties of isomorphic 
states. 

An immediate result we will explore concerns the undecidability of the model checking problem 
for ACMAS in their general setting. Section 3 is concerned with synctactical restrictions on FO- 
CTLK that enable us to guarantee the existence of finite abstractions of infinite-state ACMAS, 
thereby making the model checking problem feasible by means of standard techniques. 

Section 4 tackles restrictions orthogonal to those of Section 3 by focusing on a subclass of 
ACMAS that admits a decidable model checking problem when considering full FO-CTLK specifi- 
cations. The key finding here is that bounded and uniform ACMAS, a class identified by studying a 
strong bisimulation relation, admit finite abstractions for any FO-CTLK specification. The section 
concludes by showing that under these restrictions the model checking problem is EXPSPACE- 
complete. 

We turn our attention to artifact programs in Section 6 by defining the concept of artifact-centric 
programs. We define them through natural, first-order preconditions and postconditions in line with 
the artifact-centric approach. We give a semantics to them in terms of ACMAS and show that their 
generated models are precisely those uniform ACMAS studied earlier in the paper. It follows that, 
under some boundedness conditions, which can be naturally expressed, the model checking problem 
for artifact-centric programs is decidable and can be executed on finite models. 

Section 7 reports a scenario from the artifact systems literature. This is used to exemplify the 
technique by providing finite abstractions that can be effectively verified. 

We conclude in Section 8 where we consider the limitations of the approach and point to further 
work. 
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2. Artifact- Centric Multi- Agent Systems 

In this section we formalise artifact-centric systems and state their verification problem. As data and 
databases are important constituents of artifact systems, our formalisation of artifacts relies on them 
as underpinning concepts. However, as discussed in the previous section, we here give prominence 
to agent-based concepts. As such, we define our systems as comprising both the artifacts in the 
system as well as the agents that interact with the system. 

A standard paradigm for logic-based reasoning about agent systems is interpreted systems (Parikh 
& Ramanujam, 1985; Fagin et al., 1995). In this setting agents are endowed with private local states 
and evolve by performing actions according to an individual protocol. As data play a key part, as 
well as to allow us to specify properties of the artifact system, we will define the agents' local states 
as evolving database instances. We call this formalisation artifact-centric multi-agent systems (AC- 
MAS). AC-MAS enable us to represent naturally and concisely concepts much used in the artifact 
paradigm such as the one of view discussed earlier. 

Our specification language will include temporal-epistemic logic but also quantification over a 
domain so as to represent the data. This is an usual verification setting, so we will formally define 
the model checking problem for this set up. 

2.1 Databases and First-Order Logic 

As discussed above, we use databases as the basic building blocks for defining the states of the 
agents and the artifact system. We here fix the notation and terminology used. We refer to (Abite- 
boul, Hull, & Vianu, 1995) for more details on databases. 

Definition 2.1 (Database Schemas) A (relational) database schema is asetV = {P\ jq\ , . . . , P n /q n } 
of relation symbols Pi, each associated with its arity qi G N. 

Instances of database schemas are defined over interpretation domains. 

Definition 2.2 (Database Instances) Given an interpretation domain U and a database schema V, 
a D-instance over U is a mapping D associating each relation symbol Pi G V with a finite qi-ary 
relation over U, i.e., D(Pi) C U qi . 

The set of all D-instances over an interpretation domain U is denoted by V(U). We simply refer 
to "instances" whenever the database schema V is clear by the context. The active domain of an 
instance D, denoted as adom(D), is the set of all individuals in U occurring in some tuple of some 
predicate interpretation D(Pi). Observe that, since V contains a finite number of relation symbols 
and each D(Pi) is finite, so is adom(D). 

To fix the notation, we recall the syntax of first-order formulas with equality and no function 
symbols. Let Var be a countable set of individual variables and C be a finite set of individual 
constants. A term is any element t G Var U C. 

Definition 2.3 (FO-formulas over V) Given a database schema V, the formulas <p of the first- 
order language Cx> are defined by the following BNF grammar: 

<p :■= t = t' | Pi(ti,... ,t qi ) | -><p | <p v? | Vx<^ 

where Pi G V, ti, . . . , t qi is a qi-tuple of terms and t, t' are terms. 
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We assume "=" to be a special binary predicate with fixed obvious interpretation. To summarise, 
Cx> is a first-order language with equality over the relational vocabulary V with no function symbols 
and with finitely many constant symbols from C. Observe that considering a finite set of constants 
is not a limitation. Indeed, since we will be working with finite sets of formulas, C can always be 
defined so as to be able to express any formula of interest. 

In the following we use the standard abbreviations 3, A, V, and 7^. Also, free and bound 
variables are defined as standard. For a formula p> we denote the set of its variables as vars((p), the 
set of its free variables asfree(p), and the set of its constants as const((p). We write ip(x) to list 
explicitly in arbitrary order all the free variables x\, ... ,xe of ip. By slight abuse of notation, we 
treat x as a set, thus we write x = free(ip). A sentence is a formula with no free variables. 

Given an interpretation domain U such that C C U, an assignment is a function a : Var U. 
For an assignment a, we denote by cr(^) the assignment such that: (i) ct(^)(x) = u; and (ii) 
cr(^)(x') = cr(x'), for every x' G Var different from x. For convenience, we extend assignments 
to constants so that a(t) = t, if t G C; that is, we assume a Herbrand interpretation of constants. 
We can now define the semantics of Cry. 

Definition 2.4 (Satisfaction of FO-formulas) Given a T>-instance D, an assignment a, and an 
FO -formula p € Cry, we inductively define whether D satisfies p under a, written (D,a) (= p, as 



A formula p is true in D, written D \= p>, iff (D, a) \= p, for all assignments a. 

Observe that we adopt an active-domain semantics, that is, quantified variables range only over 
the active domain of D. Also notice that constants are interpreted rigidly; so, two constants are 
equal if and only if they are syntactically the same. In the rest of the paper, we assume that every 
interpretation domain includes C. Also, as a usual shortcut, we write (D, a) p to express that it 
is not the case that (D, a) \= p. 

Finally, we introduce the © operator on P-instances that will be used later in the paper. Let the 
primed version of a database schema V be the schema V = {P[/qi, . . . , P' n /q n } obtained from V 
by syntactically replacing each predicate symbol Pi with its primed version P[ of the same arity. 

Definition 2.5 (© Operator) Given two V-instances D and D', we define D®D' as the (T> U V')- 
instance such that D (£> D'(Pi) = D(Pi) and D © D'{P[) = D'(Pi). 

Intuitively, the © operator defines a disjunctive join of the two instances, where relation symbols in 
V are interpreted according to D, while their primed versions are interpreted according to D'. 

2.2 Artifact-Centric Multi-Agent Systems 

In the following we introduce the semantic structures that we will use throughout the paper. We 
define an artifact-centric multi-agent system as a system comprising an environment representing 
all interacting artifacts in the system and a finite set of agents interacting with such environment. 



follows: 



(D,a) HPifa,...,*,.) 



W 
iff 
iff 
iff 
iff 




(D,a) \=t = t 

(D,a)\=^<p 

(D,a) 

(D, a) \= \/xip 
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As agents have views of the artifact state, i.e., projections of the status of particular artifacts, we 
assume the building blocks of their private local states also to be modelled as database instances. In 
line with the interpreted systems semantics (Fagin et al., 1995) not everything in the agents' states 
needs to be present in the environment; a portion of it may be entirely private and not replicated in 
other agents' states. So, we start by introducing the notion of agent. 

Definition 2.6 (Agent) Given an interpretation domain U, an agent is a tuple A = {T>, L, Act, Pr), 
where: 

• V is the local database schema; 

• L C T>(U) is the set of local states; 

• Act is the finite set of action types of the form a(p), where p is the tuple of abstract parame- 
ters; 

• Pr : L i — y 2 Act ^ is the local protocol function, where Act(U) is the set of ground actions 
of the form a(u) where a(p) G Act and u €.U^ is a tuple of ground parameters. 

Intuitively, at a given time each agent A is in some local state I G T>{U) that represents all the 
information agent A has at its disposal. In this sense we follow (Fagin et al, 1995) but require that 
this information is structured as a database. Again, following standard literature we assume that 
the agents are autonomous and proactive and perform the actions in Act according to the protocol 
function Pr. In the definition above we distinguish between "abstract parameters" to denote the 
language in which particular action parameters are given, and their concrete values or "ground 
parameters". 

We assume that the agents interact among themselves and with an environment comprising all 
artifacts in the system. As artifacts are entities involving both data and process, we can see them 
as collections of database instances paired with actions and governed by special protocols. Without 
loss of generality we can assume the environment state to be a single database instance including 
all artifacts in the system. From a purely formal point of view this allows us to represent the 
environment as a special agent. Of course, in any specific instantiation the environment and the 
agents will be rather different, exactly in line with the standard propositional version of interpreted 
systems. 

We can therefore define the synchronous composition of agents with the environment. 

Definition 2.7 (Artifact-Centric Multi-Agent Systems) Given an interpretation domain U and a 
set Ag = {Aq, . . . , A n } of agents Ai = (Pj, Li, Acti, Pri) defined on U, an artifact-centric multi- 
agent system (or AC-MAS) is a tuple V = (S, U, So,t) where: 

• S C Lq x • • • x L n is the set of reachable global states; 

• U is the interpretation domain; 

• so G S is the initial global state; 

• r : S x Act(U) i-> 2 s is the global transition function, where Act(U) = Acto(U) x • • • x 
Act n (U) is the set of global (ground) actions, and t((Iq, ...,/„), (ao(uo), . . . , a n (u n ))) is 
defined iff ai(ili) G Prj(Zj) for every i < n. 
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As we will see in later sections, AC -MAS are the natural extension of interpreted systems to 
the first order to account for environments constituted of artifact-centric systems. They can be seen 
as a specialisation of quantified interpreted systems (Belardinelli & Lomuscio, 2012), a general 
extension of interpreted systems to the first-order case. 

In the formalisation above the agent Aq is referred to as the environment E. The environment 
includes all artifacts in the system as well as additional information to facilitate communication 
between the agents and the hub, e.g., messages in transit etc. At any given time an AC-MAS is 
described by a tuple of database instances, representing all the agents in the system as well as the 
artifact system. A single interpretation domain for all database schemas is given. Note that this 
does not break the generality of the representation as we can always extend the domain of all agents 
and the environment before composing them into a single AC-MAS. The global transition function 
defines the evolution of the system through synchronous composition of actions for the environment 
and all agents in the system. 

Much of the interaction we are interested in modelling involves message exchanges with pay- 
load, hence the action parameters, between agents and the environment, i.e., agents operating on the 
artifacts. However, note that the formalisation above does not preclude us from modelling agent-to- 
agent interactions, as the global transition function does not rule out successors in which only some 
agents change their local state following some actions. Also observe that essential concepts such as 
views are naturally expressed in AC-MAS by insisting that the local state of an agent includes part 
of the environment's, i.e., the artifacts the agent has access to. Not all AC-MAS need to have views 
defined, so it is also possible for the views to be empty. 

Other artifact-based concepts such as lifecycles are naturally expressed in AC-MAS. As artifacts 
are modelled as part of the environment, a lifecycle is naturally encoded in AC-MAS simply as 
the sequence of changes induced by the transition function r on the fragment of the environment 
representing the lifecycle in question. We will show an example of this in Section 7. 

Some technical remarks now follow. To simplify the notation, we denote a global ground action 
as a(u), where a = (cto(po), . . . ,a n (p n )) and u = (uq, ■ ■ ■ ,u n ), with each ui of appropriate 
size. We define the transition relation — > on S x S such that s — v s' if and only if there exists a 
a(u) G Act{U) such that s' G t(s, a (it)). If s — > s', we say that s' is a successor of s. A run r 
from s G S is an infinite sequence s° — > s 1 — >■ • • • , with s° = s. For n G N, we take r(n) = s n . A 
state s' is reachable from s if there exists a run r from the global state r(0) = s such that r(i) = s', 
for some i > 0. We assume that the relation — >■ is serial. This can be easily obtained by assuming 
that each agent has a skip action enabled at each local state and that performing skip induces no 
changes in any of the local states. We consider S to be the set of states reachable from the initial 
state so- For convenience we will use also the concept of temporal-epistemic (t.e., for short) run. 
Formally a t.e. run r from a state s G S is an infinite sequence s° ~> s 1 ~> . . . such that s° = s 
and s l — > s t+1 or s l ~ k s l+1 , for some k G Ag. A state s' is said to be temporally-epistemically 
reachable (t.e. reachable, for short) from s if there exists a t.e. run r from the global state r(0) = s 
such that for some i > we have that r(i) = s'. Obviously, temporal-epistemic runs include purely 
temporal runs as a special case. 

As in plain interpreted systems (Fagin et al., 1995), we say that two global states s = (Iq, . . . , l n ) 
and s' = (Iq, . . . , l' n ) are epistemically indistinguishable for agent Ai, written s ~« s', if = l[. 
Differently from interpreted systems the local equality is evaluated on database instances. Also, 
notice that we admit U to be infinite, thereby allowing the possibility of the set of states S to be 
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infinite. Indeed, unless we specify otherwise, we will assume to be working with infinite-state 
AC-MAS. 

Finally, for technical reasons it is useful to refer to a global database schema V = V U • • • U V n 
of an AC -MAS. Every global state s = (l®, . . . , l n ) is associated with the (global) D-instance 
D s € V(U) such that D s (P,j) = \J jeAg lj(Pi), for Pj € V. We omit the subscript s when s is 
clear from the context and we write adom(s) for adom(D s ). Notice that for every s £ 5, the D s 
associated with s is unique, while the converse is not true in general. 

2.3 Model Checking 

We now define the problem of verifying an artifact-centric multi-agent system against a specification 
of interest. By following the artifact-centric model, we wish to give data the same prominence as 
processes. To deal with data and the underlying database instances, our specification language needs 
to include first-order logic. Further, we require temporal logic to describe the system execution. 
Lastly, we use epistemic logic to express the information the agents have at their disposal. Hence, 
we define a first-order temporal epistemic specification language to be interpreted on AC-MAS. The 
specification language will be used in Section 6 to formalise properties of artifact-centric programs. 

Definition 2.8 (The Logic FO-CTLK) The first-order CTLK (or FO-CTLK) formulas p over a 
database schema V are inductively defined by the following BNF: 

p ::= (f> | —>ip | p — >■ p | \/xp | AXp \ ApUp \ EpUp \ K^p \ Cp 

where 4> € Cjy and < i < n. 

The notions of free and bound variables for FO-CTLK extend straightforwardly from £■£>, as well as 
functions vars, free, and const. As usual, the temporal formulas AXp and ApU p' (resp. EpU p') 
are read as "for all runs, at the next step p" and "for all runs (resp. some run), tp until p"\ The 
epistemic formulas K^p and Cp intuitively mean that "agent Ai knows p" and "it is common 
knowledge among all agents that p" respectively. We use the abbreviations EXp, AFp, AGp, 
EFp, and EGp as standard. Observe that free variables can occur within the scope of modal op- 
erators, thus allowing for the unconstrained alternation of quantifiers and modal operators, thereby 
allowing us to refer to elements in different modal contexts. We consider also a number of frag- 
ments of FO-CTLK. The sentence atomic version of FO-CTLK without epistemic modalities, or 
SA-FO-CTL, is the language obtained from Definition 2.8 by removing the clauses for epistemic 
operators and restricting atomic formulas to first-order sentences, so that no variable appears free in 
the scope of a modal operator: 

p ::= (f> | —xp | p — > p | AXp | ApUp \ EpUp 

where <fi G Cx> is a sentence. 

We will consider also the language FO-ECTLK, i.e., the existential fragments of FO-CTLK, 
defined as follows: 

p ::= <j) | p A p | p V p | Vxp \ 3xp \ EXp \ EpUp \ K^p \ Cp, 

where <p G Cx>, with A and V the standard abbreviations, K^p = -^K^p, and Cp = ^C~>p. 
The semantics of FO-CTLK formulas is defined as follows. 
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Definition 2.9 (Satisfaction for FO-CTLK) Consider an AC-MAS V, an FO-CTLK formula <p, a 
state s £V, and an assignment a. We inductively define whether V satisfies ip in s under a, written 
(V,s,a) \= if, as follows. ■ 

(V, s, a) \= <p iff (D s ,a) \=ip,if<p is an FO-formula 

(V, s, a) \= -199 iff it is not the case that (V, s,a) \= p> 

(V, s, a) \= p -> ip' iff (V, s, a) \= ->ip or (V, s, a) \= p>' 

{V, s, a) \= Vxip iff for all u G adom(s), (V, s,a{^)) \= p> 

(V, s, a) \= AX(p iff for all runs r, if r{ff) = s, then (V, r(l), a) \= ip 

(V, s, a) \= A(pU ip' iff for all runs r, if riff) = s, then there is k > s.t. (V, r(k),a) \= <p', 

and for all j, < j < k implies (V, r(j),a) \= ip 
(V, s, a) \= EipU ip' iff for some run r, r(0) = s and there is k > s.t. (V, r(k),a) \= ip', 

and for all j, < j < k implies (V, r(j),a) \= ip 
(P, s, a) \= Kiip iff for all s', s ~j s' implies (V, s', a) \= ip 

(V, s, a) \= dp iff for all s', s ~ s' implies (V, s' , a) \= ip 

where ~ is the transitive closure of{J 1 n ~j. 

A formula ip is said to be true at a state s, written (V, s) \= p, if (V, s,a) \= ip for all assignments 
a. Moreover, ip is said to be true in V, written V |= p, if (V, sq) \= ip. 

A key concern in this paper is to explore the model checking of AC -MAS against first-order 
temporal-epistemic specifications . 

Definition 2.10 (Model Checking) Model checking an AC-MAS V against an FO-CTLK formula 
ip amounts to finding an assignment a such that (V, So,a) \= p>. 

It is easy to see that whenever U is finite the model checking problem is decidable as V is a finite- 
state system. In general this is not the case. 

Theorem 2.11 The model checking problem for AC-MAS w.r.t. FO-CTLK is undecidable. 

Proof (sketch). This can be proved by showing that every Turing machine T whose tape contains 
an initial input / can be simulated by an artifact system Vt,i- The problem of checking whether T 
terminates on that particular input can be reduced to checking whether Vt,i \= P>, where <p encodes 
the termination condition. The detailed construction is similar to that of Theorem 4.10 of (Deutsch, 
Sui, & Vianu, 2007). □ 

Given the general setting in which the model checking problem is defined above, the negative result 
is not surprising. In the following we identify syntactic and semantic restrictions for which the 
problem is decidable. 



2.4 Isomorphisms 

We now investigate the concept of isomorphism on AC-MAS. This will be needed in later sections 
to produce finite abstractions of infinite-state AC-MAS. In what follows let V = (S, U, sq, t) and 
V = (S', U', s' , r) be two AC-MAS. 

Definition 2.12 (Isomorphism) Two local states 1,1' G T)(U) are isomorphic, written I ~ iff 
there exists a bijection 1 : adom{l) UC 4 adom(V) U C such that: 
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Figure 1 : Examples of isomorphic and non-isomorphic local states. 



( i) i is the identity on C; 

(ii) for every Pi G V, u G U q \ we have that u G I (Pi) iff l(u) G l'(Pi). 

When this is the case, we say that i is a witness for I ~ V . 

Two global states s G S and s' G S' are isomorphic, written s ~ s', iff there exists a bijection 
l : adom(s) U C i— > adom(s') U C such that for every j G Ag, i is a witness for lj ~ V-. 

Notice that isomorphisms preserve the constants in C as well as predicates in the local states up 
to renaming of the corresponding terms. Any function i as above is called a witness for s ~ s'. 
Obviously, the relation ~ is an equivalence relation. Given a function / : U i-> U' defined on 
adom(s), f(s) denotes the interpretation in T>(U') obtained from s by renaming each u G adom(s) 
as f(u). If / is also injective (thus invertible) and the identity on C, then f(s) ~ s. 

Example. For an example of isomorphic states, consider an agent with local database schema 
V = {P\/2, P2/I}, let U = {a, b, c, . . .} be an interpretation domain, and fix the set C = {b} of 
constants. Let I be the local state such that l(P\) = {(a, b), (b, d)} and /(P2) = {a} (see Figure 1). 
Then, the local state I' such that I' (Pi) = {(c, b), (b, e)} and /'(i^) = {c} is isomorphic to I. This 
can be easily seen by considering the isomorphism l, where: i(a) = c, i(b) = b, and i(d) = e. On 
the other hand, the state /" where /"(Pi) = {(/, d), (d, e}} and /"(P2) = {/} is not isomorphic to 
I. Indeed, although a bijection exists that "transforms" I into I", it is easy to see that none can be 
such that i'(b) = b. 

Note that, while isomorphic states have the same relational structure, two isomorphic states do 
not necessarily satisfy the same FO-formulas as satisfaction depends also on the values assigned to 
free variables. To account for this, we introduce the following notion. 

Definition 2.13 (Equivalent assignments) Given two states s G S and s' G S', and a set of vari- 
ables V C Var, two assignments o : Var i-> U and a' : Var 1— > U' are equivalent for V w.r.t. s 
and s' iff there exists a bijection 7 : adom(s) U C U cr(V) i-> adom(s') U C U <r'(V) such that: 

0) l\adom(s)uC is a witness for s ~ s'; 

(ii) a'\v = 70 a\v- 

Intuitively, equivalent assignments preserve both the (in)equalities of the variables in V and the 
constants in s, s' up to renaming. Note that, by definition, the above implies that s, s' are isomorphic. 
We say that two assignments are equivalent for an FO-CTLK formula ip, omitting the states s and 
s' when it is clear from the context, if these are equivalent for free(ip). 

We can now show that isomorphic states satisfy exactly the same FO-formulas. 

Proposition 2.14 Given two isomorphic states s G S and s' G S', an FO -formula (p, and two 
assignments a and a' equivalent for ip, we have that 

(D s ,a) \=ip iff (D s ,,a') \= p 
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Proof. The proof is by induction on the structure of ip. Consider the base case for the atomic 
formula ip = P(ti, . . . ,tk). Then (D s ,a) \= if iff (<r(ii), . . . , cr(tk)) G D S (P). Since a and 
a' are equivalent for ip, and s ~ s', this is the case iff (a'(ti), . . . ,cr'(^)) G D S /(P), that is, 
(D s /,a r ) \= ip. The base case for ip = i = t' is proved similarly, by observing that the satisfaction 
of ip depends only on the assignments, and that the function 7 of Def. 2.13 is a bijection, thus 
all the (in)equalities between the values assigned by a and a' are preserved. This is sufficient to 
guarantee that a(t) = a(t') iff a'(t) = cr'(i'). The inductive step for the propositional connectives 
is straightforward. Finally, if if = Vyip, then (D s , a) \= ip iff for all u G adom(s), (D s ,a(^)) \= ip. 
Now consider the witness 1 = r y\ a d„ m ( s )yjc f° r s — s '» where 7 is as in Def. 2.13. We have that cr(^) 
and f'( t („)) are equivalent for ip. By induction hypothesis (D s , cr(^)) \= ip iff (D s / , a' ( t ^) ) |= V"- 
Since i is a bijection, this is the case iff for all v! G adom(s'), (D s i , a' (^,) ) |= ^, i.e., (D s /,a r ) \= ip. 
□ 

This leads us to the following result. 

Corollary 2.15 Given two isomorphic states s G S and s' G S' and an FO -sentence ip, we have 
that 

D s \= <p iff D s > \= ip 

Proof. From right to left. Suppose, by contradiction, that D s ty= ip. Then there exists an 
assignment a s.t. (D s , a) Y= ip. Since free(ip) = 0, if 1 is a witness for s ~ s', then the assignment 
a' = t o a is equivalent to cr for s and s'. By Proposition 2.14 we have that (D s r,a r ) ip, that is, 
D s / Y= ip. The case from left to right can be shown similarly. □ 

Thus, isomorphic states cannot be distinguished by FO-sentences. This enables us to use this 
notion when defining simulations as we will see in the next section. 

3. Abstractions for Sentence Atomic FO-CTL 

In the previous section we have observed that model checking AC-MAS against FO-CTLK is un- 
decidable in general. So, it is clearly of interest to identify decidable settings. In what follows 
we introduce two main results. The first, presented in this section, identifies restrictions on the 
language; the second, presented in the next section, focuses on semantic constraints. While these 
cases are in some sense orthogonal to each other, we show that they both lead to decidable model 
checking problems. They are also both carried out on a rather natural subclass of AC-MAS that 
we call bounded, which we identify below. Our goal for proceeding in this manner is to identify 
finite abstractions of infinite-state AC-MAS so that verification of programs, that admit AC-MAS as 
models, can be conducted on them, rather than on infinite-state AC-MAS. We will see this in detail 
in Section 6. 

Given our aims we begin by defining a first notion of bisimulation in the context of AC-MAS. 
Bisimulations will be used to show that all bounded AC-MAS admit a finite, bisimilar, abstraction 
that satisifies the same SA-FO-CTL specifications as the original AC-MAS. Also in what follows 
we assume that V = (S, U, sq,t) and V' = (S', U', s' , t'). 

Definition 3.1 (Simulation) A relation R C S x S' is a simulation iff (s, s'} G R implies: 
1. s ~ s'; 



14 



2. for every t G S, if s — >• t then there exists t' G 5' s' — >• t' and (t,t'} G R. 

Definition 3.1 presents the standard notion of simulation applied to the case of AC-MAS. The dif- 
ference from the prepositional case is that we here insist on the states being isomorphic, a generali- 
sation from the usual requirement for prepositional valuations to be equal (Blackburn, de Rijke, & 
Venema, 2001). As in the standard case, two states s G S and s' G S' are said to be similar, written 
s ^ s', if there exists a simulation relation R s.t. (s, s') G R. It can be proven that the similarity 
relation ^ is a simulation itself, and in particular the largest one w.r.t. set inclusion, and that it is 
transitive and reflexive. Finally, we say that V' simulates V, written V < V , if so ^ s' . We extend 
the above to bisimulations. 

Definition 3.2 (Bisimulation) A relation B C S x S' is a bisimulation iff both B and B' 1 = 
{(s',s) | (s,s f ) G B} are simulations. 

We say that two states s G S and s' G S' are bisimilar, written s pa s', if there exists a bisimulation 
B s.t. (s, s') G B. Similarly to simulations, it can be proven that the bisimilarity relation pa is the 
largest bismulation. Further, it is an equivalence relation. Finally, V and V' are said to be bisimilar, 
written V ~ V , if so ~ s o- 

Since, as shown in Proposition 2.15, the satisfaction of FO-sentences is invariant under iso- 
morphisms, we can now extend the usual bisimulation result from the prepositional case to that of 
SA-FO-CTL. We begin by showing a result on bisimilar runs. 

Proposition 3.3 Consider two AC-MAS V and V such that V ~ V, s s', for some s G S, s' G 
<S', and a run rofV such that r(0) = s. Then there exists a run r' ofV such that: 

(i) r '(o) = s'; 

(ii) for all i > 0, r(i) sa r'(i). 

Proof. We show by induction that such run r' in V' exists. For i = 0, let r'(0) = s'. Obviously, 
r(0) pa r'(0). Now, assume, by induction hypothesis, that r(i) sa r'{i). Let r(i) — > r(i + 1). 
Since r(i) pa r'(i), by Def. 3.1, there exists t! G S' such that r'(i) — > and r(i + 1) pa t'. Let 
r'(i + 1) = t'; hence we obtain r(i + 1) pa r'(i + 1). By definition r' is a run of V. □ 

This enables us to show that bisimilar AC-MAS preserve SA-FO-CTL formulas. This is an 
extension of analogous results on prepositional CTL. 

Lemma 3.4 Consider the AC-MAS V and V' such that V pa V' , s pa s', for some s G S, s' G S' 
and an SA-FO-CTL formula (p. Then, 

(V,s)\=<p iff (V',s') \= if 

Proof. The proof is by induction on the structure of ip. Observe first that since (p is sentence- 
atomic, its satisfaction does not depend on assignments. We report the proof for the left-to-right 
part of the implication; the converse can be shown similarly. 

The base case for an FO-sentence ip follows from Prop. 2.15. The inductive cases for preposi- 
tional connectives are straightforward. 



15 



For p = AXijj, assume for contradiction that (P, s) \= <p and (P', s') \£ p. Then, there exists 
a run r' s.t. r'(0) = s' and (P', r'(l)) ^ ^. By Def. 3.2 and 3.1 there exists at £ S s.t. s — > t and 
i pa r'(l). Further, by seriality of — >■, s — > t can be extended to a run r s.t. r(0) = s and r(l) = i. 
By the induction hypothesis we obtain that (P, r(l)) ^ ^. Hence, (P,r(0)) ^ AXtp, which is a 
contradiction. 

For <£> = £/0i7 cj), let r be a run with r (0) = s such that there exists k > such that (P, r (&)) |= 
0, and for every j, < j < k implies (P, r(j)) \= ip. By Prop. 3.3 there exists a run r' s.t. r'(0) = s' 
and for all i > 0, r'(i) pa r(i). By the induction hypothesis we have that for each ieN, (P, r(i)) (= 
V> iff (P', |= ip, and (P, r(i)) |= <p iff (P', r'(i)) |= <p>. Therefore, r' is a run s.t. r'(0) = s', 

CP', r'(fc)) [= 0, and for every j, < j < k implies (P', r'(j)) \= ?p, i.e., (P', s') \= EipU<p. 

For 99 = AipUcp, assume for contradiction that (P, s) \= p and (P', s') ^ Then, there exists 
a run r' s.t. r'(0) = s' and for every k > 0, if (P', r'(/c)) |= 0, then there exists j s.t. < j < k 
and (P', r'(j)) ^ ip. By Prop. 3.3 there exists a run r s.t. r(0) = s and for all i > 0, r(i) pa r'(z). 
Further, by the induction hypothesis we have that (P, r(z)) |= ^ iff (P', r'(i)) |= ^ and (P, r(z)) |= 
iff (P', r'(i)) |= 0. But then r is s.t. r(0) = s and for every k > 0, if (P, r(/c)) |= 0, then there 
exists j s.t. < j < k and (P, r(j)) ty= ip. That is, (P, s) ^ A%pU(p, which is a contradiction. 

□ 

By applying the result above to the case of s = sq and s' = s' , we obtain the following. 

Theorem 3.5 Consider the AC-MAS V and V' such that V pa P', and an SA-FO-CTL formula p. 
We have 

V^p iff V'^p 

In summary we have proved that bisimilar AC-MAS validate the same SA-FO-CTL formulas. 
In the next section we use this result to reduce, under additional assumptions, the verification of an 
infinite-state AC-MAS to that of a finite-state one. 

3.1 Finite Abstractions of Bisimilar AC-MAS 

We now define a notion of finite abstraction for AC -MAS. We prove that abstractions are bisimilar 
to the corresponding concrete model. We are particularly interested in finite abstraction; so we 
operate on a special class of infinite models that we call bounded. 

Definition 3.6 (Bounded AC-MAS) An AC-MAS V is 6-bounded, for b G N, if for all s G S, 

\adom(s)\ < b. 

An AC-MAS is 6-bounded if none of its reachable states contains more than b distinct elements. 
Observe that bounded AC-MAS may be defined on infinite domains U. Furthermore, note that a b- 
bounded AC-MAS may contain infinitely many states, all bounded by b. So 6-bounded systems are 
infinite-state in general. Notice also that the value b bounds only the number of distinct individuals 
in a state, not the size of the state itself, i.e., the amount of memory required to accommodate the 
individuals. Indeed, the infinitely many elements of U need an unbounded number of bits to be 
represented (e.g., as finite strings), so, even though each state is guaranteed to contain at most b 
distinct elements, nothing can be said about how large the actual space required by such elements 
is. On the other hand, it should be clear that memory-bounded AC-MAS are finite-state (hence 
6-bounded, for some b). 
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Thus, seen as programs, 6-bounded AC -MAS are in general memory-unbounded. Therefore, 
for the purpose of verification, they cannot be trivially checked by generating all their executions 
-as it would be the case if they were memory-bounded- like standard model checking techniques 
typically do. However, we will show later that any 6-bounded infinite-state ACMAS admits a finite 
abstraction which can be used to verify it. 

We now introduce abstractions in a modular manner by first introducing a set of abstract agents 
from a concrete AC -MAS. 

Definition 3.7 (Abstract agent) Let A = (T>, L, Act, Pr) be an agent defined on the interpretation 
domain U. Given a set If of individuals, we define the abstract agent A 1 = {V, L', Act', Pr') on 
U' such that: 

1. v[ = Da 

2. L\ C mu'); 

3. Act\ = AcU; 

4. a(u') G Pr'^l'A iff there exist k G Li and a(u) G Pri(U) s.t. \\ ~ k, for some witness i, and 
u' = i'(u),for some bijection i' extending t to u. 

Given a set Ag of agents defined on U, let Ag' be the set of the corresponding abstract agents 
on If. 

We remark that A', as defined in Definition 3.7, is indeed an agent and complies with Defini- 
tion 2.6. Notice that the protocol of A' is defined on the basis of its corresponding concrete agent 
A and requires the existence of a bijection between the elements in the local states and the action 
parameters. Thus, in order for a ground action of A to have a counterpart in A', the last requirement 
of Definition 3.7 constrains U' to contain a sufficient number of distinct values. As it will become 
apparent later, the size of U' determines how closely an abstract system can simulate its concrete 
counterpart. 

We can now formalize the notion of abstraction that we will use in this section. 

Definition 3.8 (Abstraction) Let V be an AC-MAS over Ag and Ag' the set of agents obtained as 
in Definition 3. 7, for some U'. The AC-MAS V' defined over Ag' is said to be an abstraction of V 
iff: 

• s' ~ s ; 

• t' G t'{s' , a{u'))for some a(u') G Act (If) iff there exist s,t G <S and a(u) G Act(U), such 
that t G t(s, a(u)), s ~ s' and t ~ t' for some witness i, and v! = i'(u)for some i! extending 
i. 

Notice that abstractions have initial states isomorphic to their concrete counterparts. The con- 
dition in Definition 3.8 means that whenever s ~ s' for some witness l, u' = i(u), t G t(s, a(u)) 
and t' G t(s', a(u')), then t ~ t'. This constraint means that action are data-independent. So, for 
example, a copy action in the concrete model has a corresponding copy action in the abstract model 
regardless of the data that are copied. Crucially, this condition requires that the domain U' contains 
enough elements to simulate the concrete states and action effects as the following result makes 
precise. In what follows we take Na 9 = N^gi = Y^Ai&Ag max a(p)eActi i- e -> ^Ag is the sum 
of the maximum numbers of parameters contained in the action types of each agent in Ag. 



17 



Theorem 3.9 Consider a b-bounded AC-MAS V over an infinite interpretation domain U, an SA- 
FO-CTLK formula <p, and a finite interpretation domain U' such that C QU' and \U'\ > b + \C\ + 
N^g. Any abstraction V' ofV is bisimilar to V. 

Proof. Define a relation R as R = {{s,s') € S x S' \ s ~ s'}. We show that R is a 
bisimulation such that (sq,s' ) € R. Observe first that s' ~ sq, so (sq,s' ) S R. Next, consider 
s e S and s' € S' such that s ~ s' (i.e., (s, s') G i?), and assume that s — >• t, for some t £ S. Then, 
there exists a(u) G Aci(£/") s.t. t € r(s, a(u)). We show next that there exists if € 5' s.t. s' —> t' 
and i ~ t' . To this end, observe that, since \U'\ > b + \C\ and |«(iom(t)| < b, we can define an 
injective function / : adom(t) UC 4 [/' such that f(t) ~ t. We take = /(t); it remains to 
prove that s' — > t'. By the condition on the cardinality of U' we can extend / to u as well, and set 
v! = f(u). Then, by the definition of V' we have that t' € t'(s' ,a(u')). Hence, s' ->• t'. So, 
is a simulation relation between and T 3 '. Since can similarly be shown to be a simulation, it 
follows that V and V' are bisimilar. □ 

By combining this result with Lemma 3.4, we can easily derive the main result of this section. 

Theorem 3.10 If V is a b-bounded AC-MAS over an infinite interpretation domain U, and V' an 
abstraction ofV over a finite interpretation domain U' such that C C U' and \ U'\ > b+\C\ +Na 9 , 
then for every SA-FO-CTLK formula ip, we have that 

V^ip iff V'\=<p. 

This result states that we can reduce the verification of an infinite AC-MAS to the verification of 
a finite one. Given the fact that checking a finite AC-MAS is decidable, this is a noteworthy result. 
Note, however, that we do not have a constructive definition for the construction of an abstract 
AC-MAS V from a concrete AC-MAS V. This is of no consequence though, as in practice any 
concrete artifact-system will be defined by a program, e.g., in the language GSM, as discussed 
in the introduction. Of importance, instead, is to be able to derive finite abstractions not just for 
arbitrary AC-MAS but for those that are models of concrete programs. We will do this in Section 6 
where we will use the result above. 

Observe that an abstract AC-MAS as in Definition 3.8 depends on the set Ag' of abstract agents 
defined in Definition 3.7. However, other abstract AC-MAS defined on different sets of agents, 
exist. This is a standard outcome when defining modular abstractions, as the same system can be 
obtained by considering different agent components. 

4. Abstractions for FO-CTLK 

In the previous section we showed that syntactical restrictions on the specification language lead to 
finite abstractions for bounded AC -MAS. A natural question that arises is whether the limitation to 
sentence-atomic specifications can be removed. Doing so would enable us to check any agent-based 
FO-CTLK specification not on an infinite-state AC-MAS, but on its finite abstraction. 

The key concept we identify in this section that enables us to achieve the above is that of unifor- 
mity. As we will see later uniform AC-MAS are systems for which the behaviour does not depend 
on the actual data present in the states. This means that the system contains all possible transitions 
that are enabled according to parametric action rules, thereby resulting in a rather "full" transition 
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relation. This notion corresponds to that of genericity in databases (Abiteboul et al., 1995). We use 
the term "uniformity" as we refer to transition systems and not databases. 

To achieve finite abstractions we proceed as follows. We first introduce a notion of bisimulation 
stronger than the one discussed in the previous section. In Subsection 4.1 we show that this new 
bisimulation relation guarantees that uniform AC-MAS satisfy the same formulas in FO-CTLK. We 
use this result to show that bounded, uniform systems admit finite abstractions (Subsection 4.2). 

In the rest of the section we let V = (S, U, s , r) and V' = (S' , U' , s' ,t') be two AC-MAS 
and assume, unless stated differently, that s = (Iq, . . . , l n ) G S, and s' = (1' , . . . , l' n ) G S' . 

4.1 ©-Bisimulation 

Plain bisimulations are known to be satisfaction preserving in a modal propositional setting (Black- 
burn et al., 2001). In the following we explore the conditions under which this applies to AC -MAS 
as well. We begin by using a notion of bisimulation which is also based on isomorphism, but it is 
stronger than the one discussed in Section 3 and later explore its properties in the context of uniform 
AC-MAS. 

Definition 4.1 (©-Simulation) A relation R on S x S' is a ©-simulation if (s, s') G R implies: 

1. s ~ s'; 

2. for every t£S,ifs—tt then there exists t' G S' s.t. s' — > t', s © t ~ s' © t', and (t, t') G R; 

3. for every t G S, for every < i < n, if s ~j t then there exists t' € S' s.t. t ~j t', 
s © t ~ s' © t', and (t, t') G R. 

Observe that Definition 4.1 differs from Definition 3.1 not only by adding a condition for the epis- 
temic relation, but also by insisting that s © t ~ s' t'. This condition ensures that the ©-similar 
transitions in AC-MAS have isomorphic disjoint unions. Two states s £ S and s' G S' are said 
to be (B-similar, iff there exists an ©-simulation R s.t. (s, s'} G R. Note that all ©-similar states 
are isomorphic as condition 2. above ensures that t ~ t'. We use the symbol ^ both for similarity 
and ©-similarity, as the context will disambiguate. Also ©-similarity can be shown to be the largest 
©-simulation, reflexive, and transitive. Further, we say that V' ©-simulates V if sq r< s' . 
©-simulations can naturally be extended to ©-bisimulations. 

Definition 4.2 (©-Bisimulation) A relation B onSxS' is a ©-bisimulation iff both B and B^ 1 = 
{{s' , s) | (s, s'} G B} are ffi- simulations. 

Two states s G S and s' G <S' are said to be ©-bisimilar iff there exists an ©-bisimulation B such 
that (s, s') G B. Also for bisimilarity and ©-bisimilarity, we use the same symbol, and can 
prove that « is the largest ©-bisimulation, and an equivalence relation. We say that V and V' are 
©-bisimilar, written V ~ V iff so are sq and s' . 

While we observed in the previous section that bisimilar, hence isomorphic, states in bisimilar 
systems preserve sentence atomic formulas, it is instructive to note that this is not the case when full 
FO-CTLK formulas are considered. 

Example. Consider Figure 2, where C = and V and V' are given as follows. For the number 
n of agents equal to 1, we define V = V = {P/l} and U = N; s (P) = s' {P) = {!}; 
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Figure 2: ©-Bisimilar AC-MAS not satisfying the same FO-CTLK formulas. 

r = {(s,s>) | s(P) = {i},s'(P) = {i + 1}}; r' = {(s,s>) \ s(P) = {i},s'(P) = {(i + 1) 
mod 2}}. Notice that S C P(N) and 5' C £>(N). Clearly we have that P « Now, consider the 
constant-free FO-CTLK formula ip = AG(Vx(P(x) AXAGHP(x))). It can be easily seen that 
V \= if while V f- 

The above shows that ©-bisimilarity is not a sufficient condition to guarantee preservation of 
the satisfaction of FO-CTLK formulas. Intuitively, this is a consequence of the fact that ©-bisimilar 
AC-MAS do not preserve value associations along runs. For instance, the value 1 in V' is infinitely 
many times associated with the odd values occurring in V. By quantifying across states we are able 
to express this fact and are therefore able to distinguish the two structures. This is a difficulty as, 
intuitively, we would like to use ffi-bisimulations to demonstrate the existence of finite abstractions. 
Indeed, as we will show later, this happens for the class of uniform AC-MAS, defined below. 

Definition 4.3 (Uniformity) An AC-MAS V is said to be uniform iff for every s, t, s' G S, t' G 

V(U), 

1. ift G t(s, a(u)) and s © t ~ s' © t' for some witness i, then for every constant-preserving 
bijection i! that extends i to u, we have that t' G t(s', 

2. if s ~ j t and s © t ~ s' © t', then s' ~j t'. 

This definition captures the idea that actions take into account and operate only on the relational 
structure of states and action parameters, irrespectively of the actual data they contain (apart from a 
finite set of constants). Intuitively, it says that if t can be obtained by executing a(u) in s, and we 
replace in s, u and t, the same element v with v' , obtaining, say, s', v! and t', then t' can be obtained 
by executing a(u') in s'. In terms of the underlying Kripke structures this means that the systems 
are "full" up to ©, i.e., in all uniform AC-MAS the points t' identified above are indeed part of the 
system and reachable from s'. A similar condition is required on the epistemic relation. A useful 
property of uniform systems is the fact that the latter requirement is implied by the former, as shown 
by the following result. 

Proposition 4.4 If an AC-MAS V satisfies req. 1 in Def. 4.3 and adom(so) C C, then req. 2 is also 
satisfied. 

Proof. If s © t ~ s' © t', then there is a witness i : adom(s) U adomit) UC4 adom(s') U 
adom{t') U C that is the identity on C (hence on adom(so)). Assume s ~j t, thus li(s) = k(t), 
and k(s') = i(k{s)) = i>(k(t)) = k{t'). Notice that this does not guarantee that s' ~j t', 
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as we need to prove that if G S. This can be done by showing that t' is reachable from sq. 
Since t is reachable from so, there exists a run sq — > si . . . — > Sk s.t. = t. Extend 
now t to a total and injective function t' : adom(s ) U • • • U adom(sj,) U C i-> U. This can 
always be done because \U\ > \adom(so) U • • • U adom(sk) U C\. Now consider the sequence 
l'(sq),l'(si), . . . , i'(sfc). Since adom(so) C C then t(s ) = «o an d, because t' extends t, we have 
that i'(so) = t(so) = s o- Further, t'(sfc) = t(i) = i'. By repeated applications of req. 1 we can 
show that t'(s m+1 ) G r(t'(s m ), a(t'(t?))) whenever s m+1 € r(s m ,a(u)), for m < k. Hence, the 
sequence is actually a run from sq to t'. Thus, t' G 5, and s' ~j □ 

Thus, as long as adom(so) C C, to check whether an AC-MAS is uniform, it is sufficient to 
take into account only the transition function. 

A further distinctive feature of uniform systems is that all isomorphic states are ©-bisimilar. 

Proposition 4.5 If an AC-MAS V is uniform, then for every s, s' G S, s ~ s' implies s « s'. 

Proof. We prove that B = {(s, s') G 5 x 5 | s ~ s'} is a ©-bisimulation. Observe that since 
~ is an equivalence relation, so is B. Thus B is symmetric and B = B~ l . Therefore, proving 
that B is a ©-simulation proves also that B^ 1 is a ©-simulation; hence, that B is a ©-bisimulation. 
To this end, let (s,s') G B, and assume s — > t for some t € S. Then, i G T(s,a(u)) for some 
a(«) G Act(U). Consider a witness i for s ~ s'. By cardinality considerations t can be extended to 
a total and injective function i! : adom(s) U adom(t) U {u} DC h> [/. Consider t/(t) = t'; it follows 
that i' is a witness for s © t ~ s' © t'. Since is uniform, t' G r(s', a(t' («))), that is, s' — >■ t'. 
Moreover, t' is a witness for t ~ t', thus (t, t') G S. Next assume that (s, s'} G 5 and s ~j for 
some t G 5. By reasoning as above we can find a witness i for s ~ s', and an extension i! of t 
s.t. t' = t'(t) and i' is a witness for s © t ~ s' © t'. Since P is uniform, s' ~j t' and (t, t') £ B. D 

This result intuitively means that submodels generated by isomorphic states are ffi-bisimilar. 

Next we prove some partial results, which will be useful in proving our main preservation theo- 
rem. The first two results guarantee that under appropriate cardinality constraints the ©-bisimulation 
preserves the equivalence of assignments w.r.t. a given FO-CTLK formula. 

Lemma 4.6 Consider two ®-bisimilar and uniform AC-MAS V and V', two ®-bisimilar states 
s G S and s' G S', and an FO-CTLK formula (p. For every assignments a and a' equivalent for ip 
w.r.t. s and s', we have that: 

1. for every t G S s.t. s — >■ t, if \U'\ > \adom(s) U adom{t) U C U a (free then there exists 
t' G S' s.t. s' — > t', t Ri t', and a and a' are equivalent for ip w.r.t. t and t'. 

2. for every t&Ss.t.s~it,if\U'\ > \adom(s) U adom{t) UCU a(free((p))\, then there exists 
t' G S' s.t. s' ~j t', t t', and a and a' are equivalent for if w.r.t. t and t'. 

Proof. To prove (1), let 7 be a bijection witnessing that a and a' are equivalent for ip w.r.t. s and s'. 
Suppose that s — > t. Since s « s', by definition of ©-bisimulation there exists t" G S' s.t. s' —> t" , 
s © t ~ s' © t", and t « t" . Now, define Domj = adom(s) U adom(t) U C, and partition it into: 

• Dorriry = adom(s) U C U (adom(t) n a(free(ip)); 

• Dom t i = adom(t) \ Dom 7 . 
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Let l' : Dom L i i-> U' \ Im{^) be an invertible (total) function. Observe that |7m(7)| = 
\adom(s') U C U a'(free((p))\ = \adom(s) U C U a(free(ip))\, thus from the fact that \U'\ > 
\adom(s) U adom(t) U (7 U a(free((p)) we have \ im(/y)| > \Dom(i')\, which guarantees the 
existence of i' . 

Next, define j : Domj i-s- [/' as follows: 



Obviously, j is invertible. Thus, j is a witness for s ffi i ~ s' ffi i', where £' = Since 
s © t ~ s' © t" and ~ is an equivalence relation, s' © t' ~ s' © i". Thus, s' — )• i', as P' is uniform. 
Moreover, a and a' are equivalent for </? w.r.t. t and i', by construction of t' . To check that t k, t' , 
observe that, since t' ~ i" and P' is uniform, by Prop. 4.5 it follows that t' w t". Thus, since 
t ps t" and ps is transitive, we obtain that t rj i'. The proof for (2) has an analogous structure and is 
omitted. □ 

It can be proven that this result is tight, i.e., that if the cardinality requirement is violated, there 
exist cases where assignment equivalence is not preserved along temporal or epistemic transitions. 
Lemma 4.6 easily generalizes to t.e. runs. 

Lemma 4.7 Consider two (B-bisimilar and uniform AC-MAS V and V' , two ®-bisimilar states 
s £ S and s' € S', an FO-CTLK formula if, and two assignments a and a' equivalent for if w.r.t. s 
and s'. For every t.e. run r ofV, ifr(0) = s and for all i > 0, \U'\ > \adom(r(i)) U adom(r(i + 
1)) U C U a(free(ip))\, then there exists a t.e. run r' ofV s.t.for all i > 0: 

(i) r'(0) = s'; 

(ii) r(i) rj r'(i); 

(Hi) a and a 1 are equivalent for (p w.r.t. r(i) and r'(i). 

(iv) for every i > 0, if r(i) — > r(i + 1) then r'(i) — > r'(i + 1), andifr(i) ~j r(i + 1), for some 
j, then r'(i) ~j r'(i + 1). 

Proof. Let r be a t.e. run s.t. \U'\ > \adom(r(i)) U adom(r(i + 1)) U C U a(free(<p))\ for 
all i > 0. We inductively build r' and show that the conditions above are satisfied. For i = 0, let 
r'(0) = s'. By hypothesis, r is s.t. |f7'| > \adom(r(0)) U adom(r(l)) U C U a(free((p))\. Thus, 
since r(0) f(l), by Lemma 4.6 there exists t' G 5' s.t. r'(0) t', r(l) rs t', and a and o - ' 
are equivalent for ip w.r.t. r(l) and t'. Let r'(l) = t'. Lemma 4.6 guarantees that the transitions 
r'(0) ~> t' and r(0) ~» r(l) can be chosen so that they are either both temporal or both epistemic 
with the same index. 

The case for i > is similar. Assume that r(i) ph r'(i) and a and a' are equivalent for <p 
w.r.t. r(i) andr'(i). Since r(i) ~> r(z+l) and \U'\ > \adom(r(i))L)adom(r(i+l))UCUa(free(ip))\, 
by Lemma 4.6 there exists t' G S' s.t. r'(z) ~> t', a and cr' are equivalent for ip w.r.t. r(z + 1) and t', 
and r(i + 1) ~ t' . Let r'(z + 1) = t'. It is clear that r' is a t.e. run in T 3 ', and that, by Lemma 4.6, 
the transitions of r' can be chosen so as to fulfill requirement (iv). □ 

We can now prove the following result, which states that FO-CTLK formulas cannot distin- 
guish ffi-bisimilar and uniform AC -MAS. This is in marked contrast with the earlier example in this 
section which operated on ffi-bisimilar but non-uniform AC-MAS. 




7(u), if u G Dorriry 
i'(u), if u G Dom L > 
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Theorem 4.8 Consider two ®-hisimilar and uniform AC-MAS V and V ', two ®-hisimilar states 
s £ S and s' G S', an FO-CTLK formula p, and two assignments a and a' equivalent for p w.r.t. s 
and s'. 
If 

1. for every t.e. run r s.t. r(0) = s, for all k > we have \U'\ > \adom(r{k)) U adom(r(k + 
1)) U C U a(free((p)) \ + \vars{p) \free(ip)\; and 

2. for every t.e. run r' s.t. r'(0) = s',for all k > we have \U\ > \adom(r'(k)) U adom(r' (k + 
1)) U C U a'(free(p))\ + \vars((p) \free(ip)\; 

then 

{P,s,a)\=<p iff (V',s',a') \= p. 

Proof. The proof is by induction on the structure of ip. We prove that if (V, s,a) \= p then 
(V, s',a r ) (= p. The other direction can be proved analogously. The base case for atomic formulas 
follows from Prop. 2.14. The inductive cases for prepositional connectives are straightforward. 

For (p = Mxip, assume that x G free(ip) (otherwise consider ip, and the corresponding case), 
and no variable is quantified more than once (otherwise rename the other variables). Let 7 be a 
bijection witnessing that a and a' are equivalent for ip w.r.t. s and s'. For u G adom(s), consider the 
assignment a (^) . By definition, j(u) G adom(s'), and cr'( 7 ^ \) is well-defined. Note that free(ip) = 
free((p)U{x}; soaQ and c'( 7 ^) are equivalent for ip w.r.t. s and s'. Moreover, |cr(^) (free(ip))\ < 
\a(free(p)) \ + 1, as u may not occur in a (free (p)). The same considerations apply to a'. Further, 
\vars(ip) \ free{ip)\ = \vars(ip) \free(<p)\ — 1, as vars(ip) = vars(ip), free(ip) = free{p) U {x}, 
and x free(p). Thus, both hypotheses 1. and 2. remain satisfied if we replace p with ip, a 
with cr(^), and a' with c'^^)- Therefore, by the induction hypothesis, if (V, s, c(^)) |= ^ then 
(■p', s', o"' ( 7 ( a j t )) ) |= ip- Since n G adom(s) is generic and 7 is a bijection, the result follows. 

For 99 = AXip, assume by contradiction that (V,s,a) \= p but (V',s',a r ) \J= p. Then, 
there exists a run r' s.t. r'(0) = s' and (T 3 ', r'(l), u') ^ V- By Lemma 4.7, which applies as 
\vars{p) \ free(p)\ > 0, there exists a run r s.t. r(0) = s, for all i > 0, r(i) r'(i) and cr and 
cr' are equivalent for ip w.r.t. r(i) and r'(i). Since r is a run s.t. r(0) = s, it satisfies hypothesis 1. 
Moreover, the same hypothesis is necessarily satisfied by all the t.e. runs r" s.t., , for some i > 0, 
r"(0) = r(i) (otherwise, the t.e. run r(0) • • • r(i)r"(l)r"(2) ■ ■ ■ would not satisfy the hypothesis); 
the same considerations apply w.r.t hypothesis 2 and for all the t.e. runs r'" s.t. r'"(0) = r'(i), for 
some i > 0. In particular, these hold for i = 1. Thus, we can inductively apply the Lemma, by 
replacing s with r(l), s' with r'(l), and p with ^ (observe that vars(<p) = vars(tp) m&free(p) = 
free{ip)). But then we obtain (V, r(l), a) ty= ip, thus (V, r(0), a) ^ AXip. This is a contradiction. 

For 99 = <^ assume that the only variables common to ip and cf> occur free in both formulas 
(otherwise rename the quantified variables). Let r be a run s.t. r(0) = s, and there exists k > 
s.t. (T 3 , r(/c), cr) |= and (V, r(j),a) \= ip for < j < k. By Lemma 4.7 there exists a run r' 
s.t. r'(0) = s', and for all i > 0, r'(i) w r(i), and cr and cr' are equivalent for 99 w.r.t. r'(i) and 
r(z). From each bijection ji witnessing that a and a' are equivalent for p w.r.t. r'(i) and r(i), define 

the bijections 7^ = ^i\ ad om(r(i))UCUa(free(^)) and 7i,0 = 7i\adom(r(i))UCUa(free(4>))- ^C&free(lp) C 

free (p), free (<p) C free(tp), it can be seen that 7^ and 7^ witness that cr and cr' are equivalent 
for respectively ^ and <j> w.r.t. r'(i) and r(i). By the same argument used for the AX case above, 
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hypothesis 1 holds for all the t.e. runs r" s.t. r"(0) = r(i), for some i > 0, and hypothesis 2 holds for 
all the t.e. runs r'" s.t. r'"(0) = r'{i). Now observe that \a(free((p))\, \a(free(ip))\ < \a(free(p))\. 
Moreover, by the assumption on the common variables of ip and <p, (vars(p) \free(<p)) = (vars(ip) \ 
free{ip))^>{vars(cp)\free((p)), thus \vars{p) \free{p)\ = \(vars{ip) \free(ip)\ + \(vars((p) \free((p)\, 
hence \(vars(ip) \free(ip)\, \(vars((p) \free{<p)\ < \vars(p) \free(tp)\. Therefore hypotheses 1 and 
2 hold also with <p uniformly replaced by ip or (p. Then, the induction hypothesis applies for each 
i, by replacing s with r(i), s' with r'(i), and p with either ip or <fi. Thus, for each i, (V, r(i), a) |= 
ip iff (V f , r'(i), a') \= ip, and (V,r(i),a) \= <p iff (V, r'(i), a') \= (p. Therefore, r' is a run 
s.t. r'(0) = s', (V',r'(k),a') \= <p, and for every j, < j < k implies (V ,r'(j),a') \= ip, i.e., 
(V',s',a r ) \= Ei/>U<f>. 

For 99 = AipUcf), assume by contradiction that (V, s,a) \= (p but (V, s', a') tf= ip. Then, there 
exists a run r' s.t. r'(0) = s' and for every k > 0, either (V' ,r'(k),a r ) \/= <p or there exists j 
s.t. < j < k and (V',r'(j), a') \/= V- By Lemma 4.7 there exists a run r s.t. r(0) = s, and for 
all i > 0, r(i) r'(i) and cr and a' are equivalent for </? w.r.t. r(i) and r'(i). Similarly to the case 
of EipUcf), it can be shown that a and a' are equivalent for tp and </> w.r.t. r(i) and r'(i), for all 
i > 0. Further, assuming w.l.o.g. that all variables common to tp and occur free in both formulas, 
it can be shown, as in the case of EtpUcp, that the induction hypothesis holds on every pair of runs 
obtained as suffixes of r and r', starting from their i-th state, for every i > 0. Thus, (V, r(i), a) |= ip 
iff (V',r'(i),a') \= ip, and (V,r(i),a) \= <f> iff (V', r'(i), a') \= (f>. But then r is s.t. r(0) = s and 
for every k > 0, either (V, r(k),a) ^ or there exists j s.t. < j < k and ("P, r(j), <r) ^ ^> tnat 
is, (V, s, a) y= AipUcf). This is a contradiction. 

For ip = Kiip, assume by contradiction that (V,s,a) \= p but (V',s',(T r ) ^ p. Then, there 
exists s" s.t. s' ~j s" and (P', s", a') tf= ip. By Lemma 4.7 there exists s'" s.t. s'" ~ s", s ~« s w , 
and cr and a' are equivalent for ^ w.r.t. s" and s'". Thus, by an argument analogous to that used 
for the case of AX, we can apply the induction hypothesis, obtaining (T, s"',a) tf= ip. But then 
(V, s, a) y= Kiip, which is a contradiction. 

Finally, for p = Ctp, assume by contradiction that (V, s,a) \= p but (V', s', a') \J= p. Then, 
there exists an s" s.t. s' ~ s" and (V', s" , a') tf= ip. Again by Lemma 4.7 there exists s'" s.t. s'" ~ 
s", s ~ s'", and a and a' are equivalent for ip w.r.t. s" and s'" . Thus, by an argument analogous to 
that used for the case of Ki, we can apply the induction hypothesis, obtaining (V, s'" , a) ^ ip. But 
then (V, s, a) ^ Ctp, which is a contradiction. □ 

We can now easily extend the above result to the model checking problem for AC-MAS. 
Theorem 4.9 Consider two Q-bisimilar and uniform AC-MAS V and V, and an FO-CTLK formula 

If 

1. for all t.e. runs r s.t. r(0) = so, and for all k > 0, \U'\ > \adom(r{k)) U adom(r(k + 1)) U 
C| + \vars(p)\, and 

2. for all t.e. runs r' s.t. r'(0) = s' Q , and for all k > 0, \U\ > \adom(r'{k)) U adom(r'(k + 1)) U 
C + \vars(p)\ 

then 

V^p iff V'^p. 
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Proof. Equivalently, we prove that if (V, so, a) ^= p for some a, then there exists a a' such that 
(V', s' ,a r ) <p, and viceversa. To this end, observe that hypotheses 1. and 2. imply, respectively, 
hypotheses 1. and 2. of Theorem 4.8. Further, notice that, by cardinality considerations, given the 
assignment a : Var U, there exists an assignment a' : Var h-> U' s.t. a and a' are equivalent 
for ip w.r.t. s and s' . Thus, by applying Theorem 4.8 we have that if there exists an assignment a 
s.t. (V, sq, a) y= p, then there exists an assignment a' s.t. (V' , s' , a') ty= ip. The converse can be 
proved analogously, as the hypotheses are symmetric. □ 

This result shows that uniform AC-MAS can in principle be verified by model checking a ©- 
bisimilar one. Note that this applies to infinite AC-MAS V as well. In this case the results above 
enable us to show that the verification question can be posed on the corresponding, possibly finite, 
V' as long as U', as defined above, is sufficiently large for V to ©-bisimulate V. A noteworthy class 
of infinite systems for which these results prove particularly powerful is that of bounded AC-MAS, 
which, as discussed in the next subsection, always admit a finite abstraction. 

4.2 Finite Abstractions 

We now combine the notion of uniformity explored so far in this section with the assumption on 
boundedness made in Section 3.1. Our aim remains to identify conditions under which the verifi- 
cation of an infinite AC-MAS can be reduced to the verification of a finite one. Differently from 
Section 3.1 we here operate on the full FO-CTLK specification language. The main result here is 
given by Corollary 4.14 which guarantees that, in the context of bounded AC-MAS, uniformity is a 
sufficient condition for ©-bisimilar finite abstractions to be satisfaction preserving. 

In the following we assume that any AC-MAS V is such that adom(so) C C. If this is not the 
case, C can be extended so as to include all the (finitely many) elements in adom(so)- Further, we 
recall that Na 9 is the sum of the maximum numbers of parameters contained in the action types of 
each agent in Ag, i.e., N Ag = Y.A t eA g ma ^a(x)eActi{\x\}- 

We start by formalizing the notion of ©-abstraction. 

Definition 4.10 (©-Abstraction) Let V = (S,U,s ,t) be an AC-MAS over Ag, and Ag' the 

set of abstract agents obtained as in Definition 3. 7, for some domain U'. The AC-MAS V = 
(S', U',s' , t') over Ag 1 is said to be an ©-abstraction ofV iff: 

• s' = s ; 

• if € t'(s' , a(u')) iff there exist s,t G S and a(u) G Act(U), such that s © t ~ s' © t', for 
some witness 1, t € r(s, a(u)), and vl = t!{u)for some bijection 1! extending 1 to u. 

Notice that V' is indeed an AC-MAS as it satisfies the relevant conditions on protocols and 
transitions in Definition 2.7. Indeed, if t' G t'(s', a(u')), then there exist s,t G S, and a(u) such 
that t G r(s, a{u)), sffit ~ s' ®t' for some witness l, and u = i'{v!) for some bijection 1! extending 
l. This means that aj(nj) G Prj(/j) for i < n. By definition of Pr\ we have that a^-u^) G Pr\{VA 
for i < n. Further, if U' has finitely many elements, then S' has finitely many states. Observe that 
by varying U' we obtain different ©-abstractions. 

Next, we investigate the relationship between an AC-MAS and its ©-abstractions. A first useful 
result states that every finite ©-abstraction is uniform, independently of the properties of the AC- 
MAS they abstract. 
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Lemma 4.11 Every ^-abstraction V' of an AC-MAS V is uniform. 

Proof. Consider s,t,s' G S', t' G V{U'), and a(u) G Act'(U') s.t. t G r'(s,a(u)) and 
s © t ~ s' © i', for some witness £. We need to show that T 3 ' admits a transition from s' to t' . Since 
P' is an ©-abstraction of V, given the definition of r', there exist s", t" G 5 and a(u") G Act(C7) 
s.t. i" £ t(s" ,a(u")), s" © t" ~ s © i, for some witness i, and -u = i'{u"), for some constant- 
preserving bijection i' extending i to u" . Consider u' G [/'l u l such that -u' = C'(^)» f° r some 
constant-preserving bijection £' extending £ to u. Obviously, the composition £' o */ is a constant- 
preserving bijection such that u' = C,'{i'{u")). Moreover, it can be easily restricted to a witness for 
s" © t" ~ s' © i'. But then, since V' is an ©-abstraction of V, this implies that t' G r'(s', «(«')). 
Thus, 7" is uniform. □ 

The second result below guarantees that every 6-bounded AC-MAS is bisimilar to any of its 
©-abstractions, provided these are built over a sufficiently large interpretation domain. 

Lemma 4.12 Consider a uniform, b-bounded AC-MAS V over an infinite interpretation domain 
U, and an interpretation domain U' such that C C U'. If \U'\ > 2b + \C\ + Na 9 , then any 
Q-abstraction V' ofV over U' is bisimilar to V. 

Proof. Let B = {(s, s'} G S x S' \ s ~ s'}. We prove that B is a ©-bisimulation such that 
(so> G B. We start by proving that B is a ©-simulation relation. To this end, observe that since 
so = s' , then sq ~ s' , and (so,s ) G B. Next, consider (s,s') G B, thus s ~ s'. Assume that 
s — > t, for some t G S. Then, there must exist a(u) G Act(U) such that t G r(s, Moreover, 
since \U'\ > 2b + \C\ + Na 9 , J^A.eAg K»l — ^Ag» an d \adom(s) Uadom(t)\ < 2b, the witness 
l for s ~ s' can be extended to Uy^eAg ^ as a bijection i'. Now let t' = i'{t). By the way l' has 
been defined, it can be seen that s © t ~ s' © i'. Further, since T 3 ' is an ©-abstraction of V, we have 
that t' G t'(s', a(-u')) for = l'{u), that is, s' — s- i' in T 3 '. Therefore, there exists if G 5' such 
that s' — > t' , s © t ~ s' © t', and (i, £') G .£>. As regards the epistemic relation, assume s ~ 8 t for 
some i G {1, . . . ,n} and £ G S. By definition of ~j, li(s) = li(t). Since > 2b + \C\, any 
witness l for s ~ s' can be extended to a witness l' for s © t ~ s' © i', where t' = t/(t). Obviously, 
k(s') = h{t'). Thus, to prove that s' ~j t', we need to show that t' G 5', i.e., that t' is reachable 
in V 1 from s = so- To this end, observe that since t G S, there exists a purely temporal run r 
such that r(0) = so and r(k) = t, for some k > 0. Thus, there exist also . . . , a k (u k ) such 

that r(j + 1) G r(r(j), for < j < fe. Since \U'\ > 2b + |C|, we can define, for 

< j < k, a function tj that is a witness for r(j) ®r(j + 1) ~ (r(j)) © (r (j + 1)). In particular, 
this can be done starting from j = k — 1, defining Lk-i so that ik-i(r(k)) = tk~i(t) = t' , and 
proceeding backward to j = 0, guaranteeing that, for < j < k, ij(r(j + 1)) = Lj + i{r(j + 1)). 
Observe that since adom(so) C C, necessarily io(r(0)) = io(so) = so = s' . Moreover, as 
\U'\ > 2b + |C| + A^Ag, each ij can be extended to a bijection l'-, to the elements occurring in 
vP +l . Thus, given that V' is an ©-abstraction of V, for < j < k, we have that tj(r(j + 1)) G 
T(t'j(r(j)), a(^({T J+1 ))). Hence, the sequence i (r(0)) —>••••—>■ 4-i( r (^)) i s a run °^ anc ^' 
since t' = i>' k _i{r{k)), t' is reachable in V. Therefore s' ~, t'. Further, since t ~ t', by definition 
of B, it is the case that (t, t') G B, hence i? is a ©-simulation. 

To prove that B^ 1 is a ©-simulation, given (s, s'} G -B (thus s ~ s'), assume that s' — > t', for 
some t' G 5'. Obviously, there exists a(u') G ^4ct(C/') such that t' G t'(s', a(u')). Because V is 
an ©-abstraction of V, there exist s", t" G 5 and 5(5") G Act(?7) such that s" © t" ~ s' © t', for 
some witness <., and i" G t(s", a(iT")), with u" = i'(tt'), for some bijection l' extending i to u' . 
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Observe that s' ~ s" , thus, by transitivity of ~, we have s ~ s" . The fact that there exists t G S 
such that s — > t easily follows from the uniformity of V. Thus, since t' ~ t, we have (i, t') G 5. 
For the epistemic relation, assume s' ~« t', for some t' G 5' and < % < n. Let t be a witness 
for s' ~ s, and let t' be an extension of i that is a witness for s' © t' ~ s © t. For i = it 
can be seen that Zj(s) = k(t). Observe that t' G S'. Using an argument essentially analogous to 
the one above, but exploiting the fact that V is uniform, that V' is certainly 6-bounded, and that 
\U\ > 2b + \C\ + N^g as U is infinite, we show that t G S by constructing a run rofV such that 
r(fc) = t, for some k > 0. Then s ~j t. Further, since t' ~ t, we have (t, t') G 5. Therefore, 
is a ©-simulation. So, T 3 and V are bisimilar. □ 

This result allows us to prove our main abstraction theorem. 

Theorem 4.13 Consider a b-bounded and uniform AC-MAS V over an infinite interpretation do- 
main U, an FO-CTLK formula if, and an interpretation domain U' such that C C U'. If \U'\ > 
2b + \C\ + max{ | var s(ip) |, Na 9 }, then for any (B-abstraction V' ofV over U', we have that: 

PN W V N <p- 

Proof. By Lemma 4.11, V is uniform. Thus, by the hypothesis on the cardinalities of U and U', 
Lemma 4.12 applies, so V and V' are bisimilar. Obviously, also V' is 6-bounded. Thus, since V 
and V are 6-bounded, and by the cardinality hypothesis on U and U', Theorem 4.9 applies. In 
particular, notice that for every temporal-epistemic run r s.t. r(0) = so, and for all k > 0, we have 
that \U'\ > \adom(r(k))Uadom(r(k+l))uC\ + \vars((p)\, as \adom(r(k))\ < b, by 6-boundedness. 
Therefore, V\=<piK V |= <p. □ 

Note that the theorem above does not require U' to be infinite. So, by using a sufficient number 
of abstract values in U', we can in principle reduce the verification of an infinite, bounded, and 
uniform AC-MAS to the verification of a finite one. The following corollary to Theorem 4.13 states 
this clearly. 

Corollary 4.14 Given a b-bounded and uniform AC -MAS V over an infinite interpretation domain 
U, and an FO-CTLK formula ip, there exists an AC-MAS V' over a finite interpretation domain U' 
such that V \=(pijfV' \= (p. 

It should also be noted that U 1 can simply be taken to be any finite subset of U satisfying the 
cardinality requirement above. By doing so, the finite ©-abstraction V' can be defined simply as the 
restriction of V to U'. Thus, every infinite, 6-bounded and uniform AC-MAS is bisimilar to a finite 
subsystem which satisfies the same formulas. 

Note that, similarly to what noted at page 18 we are not concerned in the actual construction 
of the finite abstraction. This is because we intend to construct it directly from an artifact-centric 
program, as we will do in Section 6. Before that we explore the complexity of the model checking 
problem. 

5. The Complexity of Model Checking Finite AC-MAS against FO-CTLK 
Specifications 

We now analyse the complexity of the model checking problem for finite AC-MAS with respect to 
FO-CTLK specifications. The input of the problem consists of an AC-MAS V on a finite domain U 
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and an FO-CTLK formula tp; the solution is an assignment a such that (V, sq, a) \= p. Hereafter 
we follow (Grohe, 2001) for basic notions and definitions. To encode an AC -MAS V we use a 
tuple E-p = (U,V,sq,$ t ), where U is the (finite) interpretation domain, V is the global database 
schema, s$ is the initial state, and <£ r = {4> ai , ■ ■ ■ , 4>a m } is a set of FO-formulas, each capturing 
the transitions associated with a ground action c^. Since U is finite, so is the set of ground actions, 
thus & T . Each ip ai is a FO-formula over local predicate symbols, in both normal and "primed" 
form, that is, <p a can mention both P and P'. For the semantics of $ T , we have that s' G r(s, a) iff 
s © s' \= cf) a , for s, s' G T>(U). It can be proved that every transition relation r can be represented 
in this way, and that, given E-p, the size = \S\ + |r| of the corresponding AC -MAS V is at 



We consider the combined complexity of the input, that is, \\Ep\\ + \\<p\\. In particular, we say 
that the combined complexity of model checking finite AC-MAS against FO-CTLK specifications 
is EXPSPACE-complete if the problem is in EXPSPACE, i.e., there is a polynomial p(x) and an 
algorithm solving the problem in space bound by 2 p (ll- Bp H + IMI). We say it is EXPSPACE-hard if 
every EXPSPACE problem can be reduced to model checking finite AC-MAS against FO-CTLK 
specifications. We now state the following complexity result. 

Theorem 5.1 The complexity of the model checking problem for finite AC-MAS against FO-CTLK 
specifications is EXPSPACE-complete. 



Proof. To show that the problem is in EXPSPACE, recall that | \V\ | is at most doubly exponential 
w.r.t. the size of the input, thus so is |<S|. We describe an algorithm that works in NEXPSPACE, 
which combines the algorithm for model checking the first-order fragment of FO-CTLK and the 
temporal epistemic fragment. Since NEXPSPACE = EXPSPACE, the result follows. Given an AC- 
MAS V and an FO-CTLK formula ip, we guess an assignment a. Given such a, we check whether 
(V, sq, a) \= p. This can be done by induction according to the structure of tp. If p is atomic, this 
check can be done in polynomial time w.r.t. the size of the state it is evaluated on, that is exponential 
time w.r.t. | \Ep \\. If <p is of the form \/xtp, then we can apply the algorithm for model checking first- 
order (non-modal) logic, which works in PSPACE. Finally, if the outmost operator in p is either a 
temporal or epistemic modality, then we can extend the automata-based algorithm to model check 
propositional CTL in (Kupferman, Vardi, & Wolper, 2000), which works in logarithmic space in |<S|. 
However, we remarked above that |<S| is generally doubly exponential in H-EpH. Thus, if the main 
operator in p is either a temporal or epistemic modality, then this step can be performed in space 
singly exponential in | \Ep \\. All these steps can be performed in time polynomial in the size of <p. 
As a result, the total combined complexity of model checking finite AC-MAS is in NEXPSPACE = 
EXPSPACE. 

To prove that the problem is EXPSPACE-hard we show a reduction from any problem in 
EXPSPACE. We assume standard definitions of Turing machines and reductions (Papadimitriou, 
1994). If A is a problem in EXPSPACE, then there exists a deterministic Turing machine Ta = 
{Q, S, qo,P, 5), where Q is the finite set of states, £ the machine alphabet, qo G Q the initial state, 
F the set of accepting states, and 5 the transition function, that solves A using at most space 2 p d m D 
on a given input in, for some polynomial function p. As standard, we assume 5 to be a relation on 
(QxExQxSx D), with D = {L, R}, and (q, c, q' , c', d) G 6 representing a transition from state 
q to state q', with characters c and d read and written respectively , and head direction d ((L)eft and 
(i?)ight). Without loss of generality, we assume that Ta uses only the righthand half of the tape. 
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From Ta and in, we build an encoding Ep = (V, U, sq, $ t ) of an AC-MAS V induced by a 
single (environment) agent Ae = (T>e, Le, ActE, Pte) defined on U = £ U Q U {0, 1}, where: 
(i) V E = {P/p(\in\) + l,Q/l,H/p(\in\),F/l}; (ii) L E = V E {U); (iii) Act E is the singleton 
{oe}, with a£ parameter-free; (iv) «e € Pve(Ie) for every G V(U). Intuitively, the states 
of V correspond to configurations of Ta, while r mimics 5. To define E-p, we let 2? = T>e- The 
intended meaning of the predicates in V is as follows: the first elements of a P-tuple encode 

(in binaries) the position of a non-blank cell, and the (p(|m|) + l)-th element contains the symbol 
appearing in that cell; Q contains the current state q of Ta', H contains the position of the cell the 
head is currently on; F contains the final states of Ta, i-e., F = T. The initial state so represents the 
initial configuration of Ta, that is, for in = mo • • • inf. s{Q) = {qo}; s(H) = {(0, . . . , 0)}; and 
s{P) = {(BlN(i),mj) | i € {0, . . . ,(}}, where BlN(i) stands for the binary encoding in p(\in\) 
bits of the integer i. Observe that p(\in\) bits are enough to index the (at most) 2 p d m D cells used by 
T A . 

As to the transition relation, we define <I> T = {4> aE }, where: 



K E = V (yxF(x) <H> F\x)) A 

(q,c,q',c',d)£S 

Q(q) A (VxQ(x) —■ x = q) A Q'(q') A (VxQ'(x) —■ x = q') A 

3p(H(p) A (yxH(x) -> x = p) A {P{p, c) V (c = □ A ->3xP(p, x)))) A 

3p'(d = R ->• SVCC{p,p)) A {d = L ->• SUCC(p',p)) A H'{p') A {\/xH'{x) —> x = p') A 

{P'{p, c')e(c7D))A {VxP'{p, x)^x = c')A 

(Vx, y{P{x, y)A{x^p)^ P'{x, y)) A (Vf , yP'(f , y) -> (P(x, y) V (x = p A y = c')))) 

The symbol □ represents the content of blank cells, while SUCC(x, x') = AiHi™'"' ( x i = OVx^ = 
1)A(^ = 1«((^ = 0A Aj=i Xj = 1) V (x- = 1 A ^ Aj=i Xj- = 1))) is a formula capturing that 
x' is the successor of x, for x and x' interpreted as p(|m|)-bit binary encodings of integers (observe 
that {0, 1} G U). Such a formula can obviously be written in polynomial time w.r.t. p{\in\), as well 
as Ep, and in particular so and cf) aE . 

As it can be seen by analyzing <£ T , the obtained transition function is such that r(s, a^) = s' iff, 
for 5{q, c) = {q', c' , cZ) in 7a» we have that: s'{P) is obtained from s{P) by overwriting with d (if 
not blank) the symbol in position (p(|m|) + 1) of the tuple in s{P) beginning with the p(|m|)-tuple 
s{H) (that is, c by definition of 4> aE ); by updating s{H) according to d, that is by increasing or 
decreasing the value it contains; and by setting s'{Q) = {q'}. The predicate F does not change. 
Observe that cells not occurring in P are interpreted as if containing □ and that when □ is to be 
written on a cell, the cell is simply removed from P. 

It can be checked that, starting with s = so, by iteratively generating the successor state s' 
according to <£ T , i.e., s' s.t. s © s' (= 4> aE , one obtains a (single) P-run that is a representation of 
the computation of Ta on in, where each pair of consecutive P-states corresponds to a computation 
step. In particular, at each state, Q contains the current state of Ta- It should be clear that ip = 
EF(3xQ(x) A F{x)) holds in V iff Ta accepts in. Thus, by checking ip, we can check whether Ta 
accepts in. This completes the proof of EXPSPACE-hardness. □ 
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Note that the result above is given in terms of the "data structures" in the model, i.e., U and V, 
and not the state space S itself. This accounts for the high complexity of model checking AC-MAS, 
as the state space is doubly exponential in the size of data. 

While EXPSPACE-hardness indicates intractability, we note that this is to be expected given 
that we are dealing with quantified structures which are in principle prone to undecidability. Recall 
also from Section 4.2 that the size of the interpretation domain U' of the abstraction V' is linear 
in the bound b, the number of constants in C, the size of 4>, and N^ g - Hence, model checking 
bounded and uniform AC-MAS is EXPSPACE-complete with respect to these elements, whose size 
will generally be small. Thus, we believe than in several cases of practical interest model checking 
AC -MAS may be entirely feasible. 

We now conclude the section with some observations on the verification of bounded and un- 
bounded systems. Observe that the results presented in Sections 3.1 and 4.2 apply to infinite but 
bounded AC -MAS, i.e., whose global states never exceed a certain size in any run. It is however 
worth noting that existential fragments of the specification languages considered so far need not 
be examined with respect to the whole AC-MAS. Indeed in bounded model checking for CTLK 
submodels are iteratively explored until a witness for an existential specification is found (Penczek 
& Lomuscio, 2003). If that happens, we can deduce that the existential specification holds on the 
full model as well. As we show below, we can extend these result to the case of infinite AC-MAS. 

To begin, define the 6-restriction Vb of an AC-MAS V as follows. 

Definition 5.2 (6-Restriction) Given an AC-MAS V = {S,U,so,t) and b G N such that b > 
\adom(so) U C\, the b-restriction Vb = {Sb, U, so, Tb) ofV is such that 

• Sb = {s G S | \adom(s)\ < b}; 

• s' G Tb(s, a(u)) iff s' G r(s, a(u)) and s, s' G Sb- 

Notice that so G Sb by construction and T5 is the restriction of t to Sb, the interpretation domain 
U is the same in V and Vb- The result below demonstrates that if a FO-ECTLK formula holds on 
the 6-restriction, then the formula holds on the whole AC-MAS. 

Theorem 5.3 Consider an AC-MAS V and its b-restriction Vb, for b G N. For any formula 4> in 
FO-ECTLK, we have that: 

r b \=<i> => v^4> 

Proof. By induction on the construction of <p. The base case for atomic formulas and the 
inductive cases for prepositional connectives are trivial, as the interpretation of relation symbols for 
states in Sb is the same as in S. As to the existential operators EX and EU, it suffices to remark that 
if r is a run in Vb satisfying either EXtp or EtpUip', then r belongs to V as well by definition of Vb- 
The cases for the epistemic modalities Ki and C are similar: if {Vb, s,a) \= Ki4>, then there exists 
s' G Sb such that s ~« s' and (Vb, s' , a) |= 4>. In particular, s' G S and therefore (V, s, a) \= K^. 
For Ccj) the proof is similar by considering the transitive closure of the epistemic relations. Finally, 
the case of quantifiers follows from the fact that the active domain for each state is the same in V 
and V b - □ 

Observe that there are specifications in FO-CTLK that are not preserved from Vb to V. For 
instance, consider the specification ifb = AGNx\, . . . , Xb+i \J ' i+A x i = x j) i n SA-FO-CTL, which 
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expresses the fact that every state in every run contains at most b distinct elements. The formula <pb 
is clearly satisfied by Vb but not in V, whenever V is unbounded. 

Theorem 5.3 can in principle form the basis for an incremental iterative procedure for checking 
an existential specification 4> on an infinite AC-MAS V. We can begin by taking a reasonable bound 
b and check Vb \= 4>- If that holds we can deduce V \= (f>; if not we can increase the bound and 
repeat. The procedure is sound but clearly not complete. As mentioned earlier, this is in spirit of 
bounded model checking (Biere, Cimatti, Clarke, Strichman, & Zhu, 2003). Here, however, the 
bound is on the size of the states, rather than the length of the runs. 

6. Model Checking Artifact-Centric Programs 

We have so far developed a formalism that can be used to specify and reason about temporal- 
epistemic properties of models representing artifact-centric systems. We have identified two notable 
classes that admit finite abstractions. As we remarked in the introduction, however, artifact-centric 
systems are typically implemented through declarative languages such as GSM (Hull et al., 2011). 
It is therefore of paramount interest to investigate the verification problem, not just on a Kripke 
semantics such as AC-MAS, but on concrete programs. As discussed, while GSM is a mainstream 
declarative language for artifact-centric environments, alternative declarative approaches exist. In 
what follows for the sake of generality we ground our discussion on a very wide class of declarative 
languages and define the notion of artifact-centric program. Intuitively, an artifact-centric program 
(or AC program) is a declarative description of a whole multi-agent system, i.e., a set of services, 
that interact with the artifact system (see discussion in the Introduction). Since artifact systems are 
also typically implemented declaratively (see (Heath et al., 2011)) in what follows AC programs 
will be used to encode both the artifact system itself and the agents in the system. This also enables 
us to import into the formalism the previously discussed features of views and windows typical in 
GSM and other languages. 

This section is organised as follows. Firstly, we define AC programs and give their semantics 
in terms of AC-MAS. Secondly, we show that any AC-MAS that results from an AC program is 
uniform. This enables us to state that, as long as the generated AC-MAS is bounded, any AC 
program admits an AC-MAS as its finite model. In this context it is actually important to give 
constructive procedures for the generation of the finite abstraction; we provide such a procedure 
here. This enables us to state that, under the assumptions we identify, AC programs admit decidable 
verification by means of model checking their finite model. 

We start by defining the abstract syntax of AC programs. 

Definition 6.1 (AC Program) An artifact-centric program (or AC program) is a tuple ACP = 
(V, U, E), where: 

• V is the program 's database schema; 

• U is the program 's interpretation domain; 

• E = {So, . . . , S n } is the set of agent programs Ej = (£>j, ko, fij), where: 

- PjCD is agent i's database schema, s.t. T>i n Vj = $,for i ^ j; 

- ko G T>i(U) is agent z's initial state (as a database instance); 
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- $7j is the set of local action descriptions in terms of preconditions and postconditions of 
the form a(x) = (ir(y),i{j(z)}, where: 

* a(x) is the action signature and x = yU zis the set of its parameters; 

* ir(y) is the action precondition, i.e., an FO-formula over T>i; 

* tp(z) is the action postcondition, i.e., an FO-formula over V U V. 

Recall that local database schemas and instances were introduced in Definition 2.6. Observe 
that AC programs are defined modularly by giving the agents' programs including preconditions 
and postconditions as well as those of the environment. 

Notice that preconditions use relation symbols from the local database only, while postcondi- 
tions can use any symbol from the whole V. This accounts for the intuition formalised in AC-MAS 
as well as present in temporal-epistemic logic literature that agents' actions may change the envi- 
ronment and the state of other agents. For an action a(x), we let const (a) = const(7r) U const (tp), 
vars{a) = vars(Ti) U vars(ifj), and free(a) = x. An execution of a(x) with ground parameters 
u G f/l x l is the ground action a(u) = (ir(v),vp(w)), where v (resp. w) is obtained by replacing 
each y, L (resp. Zj) with the value occurring in u at the same position as y; (resp. zi) in x. Such 
replacements make both ir(v) and ip(w) ground. Finally, we define the set Cacp of all constants 
mentioned in ACP, i.e., Cacp = UILi (adom(Dio) U \J a( zQ t const(a)). 

The semantics of a program is given in terms of the AC -MAS induced by the agents that the 
program implicitly defines. Formally, this is captured by the following definition. 

Definition 6.2 (Induced Agents) Given an AC program ACP = (V, U, S), an agent induced by 
ACP is a tuple A{ = (T>i, Li, Acti, Pri) on the interpretation domain U such that, for Ej = 

• Li C T>i(U) is the set of the agent's local states; 

• Acti = {ct{x) | a(x) £ Qi} is the set of local actions; 

• The protocol Prj(Zj) is defined by a(u) 6 Pri(k) iffli \= ir(v)for a(u) = (7r(v),ip(w)}. 

Note that the definition of induced agent is in line with the definition of Agents (Definition 2.6). 
Agents induced as above are composed to give an AC -MAS associated with an AC program. 

Definition 6.3 (Induced AC-MAS) Given an AC program ACP and the set Ag = {A , . . . , A n } 
of agents induced by ACP, the AC-MAS induced by ACP is the tuple Vacp = (S,U, sq,t), 
where: 

• S C Lq x • • • x L n is the set of reachable states; 

• s o = Coo ^ ■ • • j Ino) is the initial global state; 

• U is the interpretation domain; 

• r is the global transition function defined by the following condition: s' £ r(s, (ai(-ui), . . . , 
a n {u n ))), with s = (lo,...,l n ) and a,i(ui) = {■K i (v, i ),ip i (w, i )) (i € {0, . . . ,n}), iff the 
following conditions are satisfied: 

- for every i G {0, . . . , n}, k \= ■K i {v i ); 
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- adom(s') C adom(s) U Ui=o n ™i ^ const (ipi); 

- D s ffi Z) s / |= ipi(wi), where D s and D s i are obtained from s and s' as discussed on 
p. 11. 

Given an AC program, the induced AC-MAS is the Kripke model representing the whole execution 
tree for the AC program and representing all the data in the system. Observe that all actions per- 
formed are enabled by the respective protocols and that transitions can introduce only a bounded 
number of new elements in the active domain, those bound to the action parameters. It follows 
from the above that AC programs are parametric with respect to the interpretation domain, i.e., by 
replacing the interpretation domain we obtain a different AC-MAS. For simplicity, we assume that 
for every postcondition ijj in a program, if a predicate does not occur in the postcondition, it is left 
unchanged by the relevant transitions. Formally, this means that we implicitly add a conjunct of the 
form VxP(x) o P'(x) (*) to the postcondition whenever P is not mentioned in ip. Further, we 
assume that every program induces an AC-MAS whose transition relation is serial, i.e., AC-MAS 
states always have successors. These are basic requirements that can be easily fulfilled, for instance, 
by assuming that each agent has a skip action with an empty precondition and a postcondition of 
the form (*) for every P G V. In the next section we present an example of one such program. 
A significant feature of AC programs is that they induce uniform AC -MAS. 

Lemma 6.4 Every AC-MAS V induced by an AC program ACP is uniform. 

Proof. By Prop. 4.4, it is sufficient to consider only the temporal transition relation — >•, as 
adom(so) C Cacp- Consider s, s', s" G S and s'" G L x • • • x L n , such that s © s' ~ s" © s'" 
for some witness i. Also, assume that there exists a(u) = (ai(ui), . . . ,a n (u n )) G Act(U) such 
that s' £ t(s, a(u)). We need to prove that for every constant-preserving bijection l' that extends 
l to u, we have that s'" G t(s", a(i'(u))). To this end, we remark that any witness i for s ffi s' ~ 
s" © s'" can be extended to an injective function i' on [J ieAg u%. Obviously, U contains enough 
distinct elements for i! to exist, as every Uj takes values from U. Now, by an argument analogous 
to that of Proposition 2.14, it can be seen that for any FO-formula ip and equivalent assignments 
a and a', we have that (s © s', a) \= ip iff [s" ffi s'", a') \= ip. But then, this holds, in particular, 
for a' obtained from a by applying l' to the values assigned to each parameter, i.e., i'(u), and 

for the pre- and postconditions of all actions involved in the transition s a ^ u \ s '_ Thus, we have 
s'" G t(s", a(i'(u))), i.e., V is uniform. □ 

We can now define what it means for an AC program to satisfy a specification, by referring to 
its induced AC-MAS. 

Definition 6.5 Given an AC program ACP, a FO-CTLK formula ip, and an assignment a, we say 
that ACP satisfies ip under a, written (ACP, a) \= ip, iff (Vacp, SQ,a) \= ip. 

It follows that the model checking problem for an AC program against a specification <j) is defined 
in terms of the model checking problem for the AC-MAS Vacp against <p. 

The following result allows us to reduce the verification of any AC program with an infinite 
interpretation domain U\, that induces a 6-bounded AC -MAS, to the verification of an AC program 
over a finite U2- To show how it can be done, we let Nacp = Sie{i n} mayL a(x)eQi{\^\} be the 
maximum number of different parameters that can occur in a joint action of ACP. 
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Lemma 6.6 Consider an AC program ACP\ = (T>, Ui, S) operating on an infinite interpretation 
domain U\ and assume its induced AC-MAS Vac Pi = (^i, Ui, s±o, t\) is b-bounded. Consider a 
finite interpretation domain U2 such that CacPi — ^2 an d 1^2 1 > 26 + \CacPi I + ^ACPi an d the 
AC program ACP2 = (T>, C/2,S). Then, the AC -MAS Vac P 2 = ($2, U2, S20, T2) induced by AC P2 
is a finite abstraction of Vac Pi- 



Proof. Let Ag\ and Ag2 be the set of agents induced respectively by ACP\ and ACP2, according 
to Def. 6.2. First, we prove that the set of agents Ag\ and Ag2 satisfy Def. 3.7, for Ag = Ag\ 
and Ag' = Ag 2 . To this end, observe that because ACP\ and ACP2 differ only in U, by Def. 6.2, 
V = V, L\ C £>■(£/"'), and Aci' = Act. Thus, only requirement 4 of Def. 3.7 still needs to be 
proved. To see it, fix i € {1, . . . , n} and assume that a(u) G Pri(k). By Def. 6.2, we have that 
k |= tt(v), for a(u) = (Tr(v),ip(w)}. By the assumption on | C/2 1 9 since const(a) C C^cPi ^ ^2, 
|xt| < Nacp^ an d |adom(Zj)| < b, we can define an injective function 1 : adom{U) UuU CacPi ^ 
U2 that is the identity on CacPi- Thus, for l' { = we can easily extract from l a witness for 
k — Moreover, it can be seen that v and v' are equivalent for it. Then, by applying Prop. 2.14 to 
k and l[, we conclude that l\ (= tt('u'), for 7/ = i(v). Hence, by Def. 6.2, a(u') € Pr'^l'A. So, we 
have shown the right-to-left part of requirement 4. The left-to-right part can be shown similarly and 
in a simplified way as U\ is infinite. 

Thus, we have proven that Ag = Ag\ and Ag' = Ag2 are obtained as in Def. 3.7. Hence, 
the assumption on Ag and Ag' in Def. 4.10 is fulfilled. We prove next that also the remaining 
requirements of Def. 4.10 are satisfied. Obviously, since £ is the same for ACP\ and ACP2, 
by Def. 6.3, sio = S20, so the initial states of VacPi and Vacp 2 are the same. It remains to 
show that the requirements on t\ and T2 are satisfied. We prove the right-to-left part. To this 
end, take two states s\ = (Z10, . . . , h n ), s[ = (1' 10 , . . . , l' ln ) in S\ and a joint action a(u) = 
(a>o(uo), . . . , a n {u n )) € Acb(U) such that s[ G t\(si, a(u)). Consider siQs^. By the assumptions 
on U2, there exists an injective function 1 : adom{s\) U adom{s' l ) U u U CacPi i— y U2 that is the 
identity on CacPi (recall that \adom{s\)\ : \adom{s' l )\ < b). Then, for S2 = (t(ho), . . . , i(h n )), 
s' 2 = Wio), • • • , i(^in)) m $2, we can extract, from 1, a witness for s\ © s[ ~ S2 © s' 2 . Moreover, 
it can be seen that for every 7Tj and tpi in d?i(xj) = (^(yi), ipi{zi)), u and u' = are equivalent 
with respect to si ffi s[ and «2 © s' 2 . Now, consider Def. 6.3 and recall that both VacPi an ^ Vacp 2 
are AC-MAS induced by ACP\, ACP2, respectively. By applying Prop. 2.14, we have that, for 
ie{0,...,n}: i{lu) \= nMvi)) iff hi \= ^i{vi); D S2 ®D S , 2 \= ipi(i(wi)) iff £> Sl ©D s , |= V>i(wi). 
In addition, by the definition of t, adom(s' 1 ) C adom{s\) U Ui=o n ^* u const^i) iff adom{s' 2 ) C 
a(iom(s2)U|J i=0 n i(wi)Llconst(ipi). But then, it is the case that s 2 G T2(s 2 , a(t(uo), . . . , t(i7 n ))). 
So we have proved the right-to-left part of the second requirement of Def. 4.10. The other direction 
follows similarly. Therefore, Vacp 2 * s an abstraction of Vac Pi- d 

Intuitively, Lemma 6.6 shows that the following diagram commutes, where [U1/U2] stands for 
the replacement of U± by U 2 in the definition of ACP\. Observe that since U2 is finite, one can 
actually apply Def. 6.3 to obtain Vac p 2 > while this cannot be done for ACP\, as U\ is infinite. 

ACP, Def - 63 > Vac pi 



[U1/U2] 



Def. 4.10 



ACP * Def. 6.3 - r*C* 
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The following result, a direct consequence of Lemma 4.12 and Lemma 6.6, is the key conclusion 
of this section. 

Theorem 6.7 Consider an FO-CTLK formula <p, an AC program ACP\ operating on an infinite 
interpretation domain U\ and assume its induced AC-MAS Vac Pi is b-bounded. Consider a finite 
interpretation domain U 2 such that CacPi — ^2 and [L^l > 2&+jCACp|+ max {-^4CP; l rars (^)|}» 
and the AC program ACP2 = (T>, U2, £). Then we have that: 

ACP 1 ^p iff ACP 2 |= p. 

Proof. By Lemma 6.6 Vacp 2 is a finite abstraction of VacPi- Moreover, | CTa | > 26 + \Cacp\ + 
max{NACP, \vars((p)\} implies j^l > 26+ \C Acp\ + \vars{ip)\. Hence, we can apply Lemma 4. 12 
and the result follows. □ 

The above is the key result in this section. It shows that if the generated AC-MAS model is 
bounded, then any AC program can be verified by model checking its finite ©-abstraction, i.e., a 
©-bisimilar AC -MAS defined on a finite interpretation domain. Note that in this case the procedure 
is entirely constructive: given an AC program ACP\ = (V, Ui, S) on an infinite domain U\ and 
an FO-CTLK formula ip, to check whether AC Pi satisfies the specification tp, we first consider the 
finite "abstraction" ACP2 = (T>, U2, S) defined on a finite domain U2 satisfying the requirement 
on cardinality in Theorem 6.7. Since U2 is finite, also the induced AC-MAS Vacp 2 i s finite, hence 
we can apply standard model checking techniques to verify whether Vacp 2 satisfies p. Finally, by 
definition of satisfaction for AC programs and Theorem 6.7, we can transfer the result obtained to 
decide the model checking problem for the original infinite AC program ACP\ and <p. 

Also observe that in the finite abstraction considered above the abstract interpretation domain 
U2, depends on the number of distinct variables that the specification p contains. Thus, in principle, 
to check the same AS program against a different specification ip', one should construct a new 
abstraction Vacp.' 2 using a different interpretation domain XJ' 2 , and then check ip 1 against it. However, 
it can be seen that if the number of distinct variables of ip' does not exceed that of tp, the abstraction 
Vacp 2 ' use d to check p, can be re-used for p'. Formally, let FO-CTLK^ be the set of all FO-CTLK 
formulas containing at most k distinct variables. We have the following corollary to Theorem 6.7. 

Corollary 6.8 If | CTa | > 26 + \Cacp\ + max{iV J 4c*p, k}, then, for every FO-CTLKk formula (p, 
ACP l (= p iffACP 2 \= p. 

This result holds in particular for k = Nacp', thus for FO-CTLKat acp formulas, we have an 
abstraction procedure that is specification-independent. 

Theorem 6.7 requires the induced AC-MAS to be bounded, which may seem a difficult condition 
to check a priori. Note however that AC programs are declarative. As such it is straightforward to 
give postconditions that enforce that no transition will generate states violating the boundedness 
requirement. The scenario in the next section will exemplify this. 

7. The Order-to-Cash Scenario 

In this section we exemplify the methodology presented so far in the context of a business process 
inspired by an IBM customer use-case (Hull et al., 2011). The order-to-cash scenario describes 
the actions performed by a number of agents in an e-commerce situation relating to the purchase 
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(a) Purchase Order lifecyle 



shipMO 



^ait^IM 

Qacceptedf^) — *-<^shippe<£^ 

acceptMO^ 
createMCL. „ doneMO „ — — <T 

><Z_p reparaHo r^ >Cjs ubmitte^ > deleteMO 

— — -7^ deleteMO + 
Crej ectedj >0 

(b) Material Order lifecyle 
Figure 3: Lifecycles of the artifacts involved in the order-to-cash scenario. 



and delivery of a product. The agents in the system consist of a manufacturer, some customers, 
and some suppliers. The process begins when a customer prepares and submits a purchase order 
(PO), i.e., a list of products the customer requires, to the manufacturer. Upon receiving a PO, 
the manufacturer prepares a material order (MO), i.e., a list of components needed to assemble 
the requested products. The manufacturer then selects a supplier and forwards him the relevant 
material order. Upon receipt a supplier can either accept or reject a MO. In the former case he then 
proceeds to deliver the requested components to the manufacturer. In the latter case he notifies the 
manufacturer of his rejection. If an MO is rejected, the manufacturer can delete it and then prepare 
and submit new MOs. When the components required have been delivered to the manufacturer, he 
assembles the product and, provided the order has been paid for, he delivers it to the customer. Any 
order which is directly on indirectly related to a PO can be deleted only after the PO is deleted. 

We can encode the order-to-cash business process as an artifact-centric program ACP t c , where 
the artifact data models are represented as database schemas and its evolution is characterised by 
an appropriate set of operations. It is natural to identify 2 classes of artifacts, representing the PO 
and the MO, each corresponding to the respective orders by the agents. An intuitive representation 
of the artifact lifecycles, i.e., the evolution of some key records in the artifacts' states, capturing 
only the dependence of actions from the artifact statuses, is shown in Fig. 3. Note that this is an 
incomplete representation of the business process, as the interaction between actions and the artifact 
data content is not represented. 

Next, we encode the whole system as an AC program, where the artifact data models are repre- 
sented as a relational database schema, and the corresponding lifecycles are formally characterised 
by an appropriate set of actions. We reserve a distinguished relation for each artifact class. In 
addition, we introduce static relations to store product and material information. For the sake of 
presentation we assume to be dealing with three agents only: one customer c, one manufacturer m 
and one supplier s. The database schema T>i for each agent i G {c, m, s} can therefore be given as: 

• Customer c: V c = {Products{prod-Code , budget), PO {id, prod -code, offer, status)}; 

• Manufacturer m: V m = {PO {id, prod -code, offer, status), MO {id, prod -code, price, status)}; 

• Supplier s: V s = {Materials {mat _code, cost), MO {id, prod -code, price, status)}. 

The relations Products and Materials, as well as PO and MO are self-explanatory. Note the 
presence of the attribute status in the relations corresponding to artifacts. 
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As interpretation domain, we consider the infinite set U t c of alphanumeric strings. Also, we 
assume that in the initial state the only non-empty relations are Products and Materials, which 
contain background information, such as the catalogue of available products. 

Hence, the artifact-centric program ACP Q t c corresponding to the order-to-cash scenario can be 
given formally as follows: 

Definition 7.1 The artifact-centric program ACP a t c is a tuple (V otc , U Q t c , S ote ), where: 

• the program 's database schema V otc and interpretation domain U t c are introduced as above, 
i.e., V otc = V c U V m U V s = {Products /2, PO /4, MO /4, Materials /2} and U otc is the set 
of all alphanumeric strings. 

• £ = {S c , S m , S s } is the set of agent specifications for the customer c, the manufacturer m 
and the supplier s. Specifically, for each i G {c, m, s}, Sj = (T>i, l^, is such that: 

— T>i C T> is agent i's database schema as detailed above, i.e., T> c = {Products /2, PO / 4}, 
V m = {PO/4, MO/4}, andV s = {MO/4, Materials / 2}. 

— Ic0> 'mo. and ho are database instances in T> c (U t c ), P , m(U tc)> and T> s {U t c ) respec- 
tively s.t. l c o(Products) and l s o(Materials) are not empty, i.e., they contain some back- 
ground information, while I c q(PO), l m o(PO), l m o(MO) and l s o(MO) are empty. 

— We assume that Sl c contains the actions createPO(prod-Code,offer), submitPO(poJd), 
pay(poJd), deletePO(poJd). Similarly, Q m = {createMO(po -id, price), 
doneMO(mo_id), shipPO(po-id), deleteMO(moJd)} and Q s = {acceptMO(moJd), 
rejeetMO(mo-id) , shipMO ( mo-id) }. 

System actions capture legal operations on the underlying database and, thus, on artifacts. In 
Table 1 we report some of their specifications. Variables (from V) and constants (from U) are 
distinguished by fonts v and c, respectively. From Section 6 we adopt the convention that an action 
affects only those relations whose name occurs in ip. 

Consider, for instance, the action createPO performed by the customer c, whose purpose is 
the creation of a PO artifact instance related to a given prod-code. Its precondition requires that 
the action parameter prod-code refers to an actual product in the Products database; while the 
postcondition guarantees that the offer value in PO is set equal to budget as well as the id of the 
new PO is unique. As regards the action createMO, performed by the manufacturer m and meant to 
create instances of MO artifacts, its precondition requires that po_id is the identifier of some existing 
PO. Its postcondition states that, upon execution, the MO relation contains exactly one additional 
tuple, with identifier attribute set to id, with attribute status set to preparation and asking price 
set to price. As an example of action triggering an artifact's status transition, consider the action 
doneMO performed also by the manufacturer m. doneMO is executable only if the MO artifact is 
in status preparation; its effect is to set the status attribute to submitted. Finally, as an example 
of an action triggered by a choice, consider the action acceptMO performed by the supplier s. It 
is triggered only if the entries for the product code pc and the price p have matching values in the 
Materials database. The action outcome is to set the status attribute to accepted. 

Notice that although actions are typically conceived to manipulate artifacts of a specific class 
their preconditions and postconditions may depend on artifact instances of different classes. For 
example note that the action createMO manipulates MO artifacts, but its preconditions and post- 
conditions may depend on artifact instances originating from different classes (e.g. createMO's 
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Table 1 : Specification of the actions affecting the artifacts PO and MO in the order-to-cash scenario. 

• createPO(prod_code) = (ir(prod-Code), ^(prod-code)), where: 

- i\(prodjcode) = 3b Products(prodjcode,b) 

- ip(prod_code) = 3id,b (PO' (id,prod-Code,b, prepared) A 
Products(prod-Code, 6) A 

Mid' ,pc, o, s (PO(id' ,pc, o, s) — > id ^ id')) 

• createMO(po_id, price) = (^(poJd, price), tp(po_id, price)}, where: 

- 7r (poJd, price) = 3pc, o (PO(poJd,pc, o, prepared) 

- ^(po -id, price) = (MO'(poJd, pc, price, preparation)A 
3oPO(poJd,pc, o, prepared)A 

Vid' ,pc,pr, s (MO(id' , pc, pr, s) — >■ id / id')) 

• doneMO(moJ,d) = {7r(mo-id),^(mo-id)}, where: 

- Tr(moJd) = 3pc,p MO(moJd,pc,pr, preparation) 

- tjj(moJd) = Vw,pc,p, s ((w / moJd — > (MO(w,pc,p, s) o MO'(w,pc,p, s)))A 
(MO(moJd,pc,p,s) — > (MO'(mo_id,pc,p, submitted)A 

(s / submitted — > -^MO'(moJd,pc,p, s))))) 

• acceptMO(moJd) = (-ir(moJd),i()(moJd)}, where: 

- n(moJd) = 3mo_id,pc,p MO(moJd,pc,pr, submitted) A Material (pc,p) 

- 4>(moJd) = \/w,pc,p, s ((w / moJd — > (MO(w,pc,p, s) «-> MO'(w,pc,p, s)))A 
(MO(moJ,d,pc,p, s) — > (MO' (mo Jd,pc,p, accepted) A 

(s / accepted — > -^MO'(moJd,pc,p, s))))) 
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precondition depends on PO artifacts). We stress that action executability depends not only on the 
status attribute of an artifact, but on the data content of the whole database, i.e., of all other artifacts. 
Similarly, action executions affect not only status attributes. Most importantly, by using first-order 
formulas such as fa = Vxi, . . . , Xb+i Vj^( x i = x j) m tne postcondition ip, we can guarantee that 
the AC program in question is bounded and is therefore amenable to the abstraction methodology 
of Section 6. 

We now define the agents induced by the AC program ACP Q t c given above according to Defi- 
nition 6.2. 

Definition 7.2 Given the AC program ACP Q t c = (V otc ,U tc,^otc}, the agents A c , A m and A s 
induced by ACP Q t c are defined as follows: 

• A c = {D c , L c , Act c , Pr c ), where (i) T> c is as above; (ii) L c = T> c (U t c ); (Hi) Act c = Q c = 
{createPO(prod_code, offer), submitPO(po-id), pay(po_id), deletePO(po-id)}; and (iv) 
a(u) € Pr c (l c ) iffl c \= tt(v) for a(u) = (ir(v),ip(w)}. 

• A m = (D m , L m , Act m , Pr m ), where (i) V m is as above; (ii) L rn = V m (U otc ); (Hi) Act m = 

= {createMO(po_id, price), doneMO(mo-id), shipPO(po-id), deleteMO(mo_id)}; 
and(iv) a(u) G Pr m (l m ) iffl m \= n(v)for a(u) = (tt(v),iP(w)). 

• A s = (V s , L s , Act s , Pr s ), where (i) V s is as above; (ii) L s = T> s (JJ otc ); (Hi) Act s = 
fl s = {acceptMO(mo-id), rejectMO(mo_id), ship MO (mo -id)}; and (iv) a(u) G Pr s (l s ) 
ifflm \= n(v)fora(u) = (tt(v),iP(w)). 

By the definition of A m we can see that createMO(poJd, price) € Pr m (l m ) if and only if the 
interpretation l m (PO) of the relation PO in the local state l m contains a tuple (poJd, pc, o, prepared ) 
for some product pc and offer o; while doneMO(moJd) G Pr m (l m ) iff l m (MO) contains a tuple 
in the interpretation l m (MO) with id moJd and status preparation. It can also be checked that, 
in line with our discussion in Section 2, a full version of the function r t c given above can easily 
encode the artifacts' lifecycles as given in Figure 3. 

We can now define the AC -MAS generated by the set of agents {A c , A m , A s } according to 
Definition 6.3. 

Definition 7.3 Given the AC program ACP Q t c and the set Ag = {A c , A m , A s } of agents induced 
by ACPotc, the AC-MAS induced by ACP Q t c is the tuple Vote = («Soto U tc, s® tc , T otc ), where: 

• S tc C L c x L m x L s is the set of reachable states; 

• U tc is the interpretation domain; 

• s otc = CcO) 'm0> ho) i s the initial global state, where the only non-empty relation are Products 
and Materials; 

• T otc is the global transition function defined according to Def. 6.3. 

As an example we give a snippet of the transition function T otc by considering the global action 

a(u) = (createPO(pc), doneMO(m), accept MO(m')) enabled by the respective protocols in a 
global state s. By the definition of the actions createPO(pc), doneMO(m), and acceptMO(m') 
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we have that k(s) € Pri for i G {c,m,s} implies that the Products relation contains infor- 
mation about the product pc. Also, the interpretation of the relation MO contains the tuples 
(m,p,pr, preparation) and (m',p',pr', submitted) for some products p and p'. 

By the definition of T otc it follows that for every s' £ S otc , s a ^ u \ s > implies that D s © D s i \= 

^createPoipc) A l^doneMoi'm) A *l> accept M O i™-' ) , that is, 

D s (BD s i \= 3id, b (PO' (id, pc,b, prepared) A Products(pc,b) A 
\/id', p, o, s (PO(id',p, o, s) ->■ id id')) A 

\/w,p,pr, s ((w / m — >■ (MO(w,p,pr, s) -H- MO' (w,p,pr, s))) A 
(MO(m,p,pr,s) — >■ (MO'(m,p,pr, submitted) A 
(s 7^ submitted -)• ^MO' (m,p,pr, s))))) A 

\/w,p,pr, s ((w ^ m' (MO(w,p,pr, s) o MO' (w,p,pr, s))) A 
(MO(m! ' ,p,pr,s) — > (MO'(m' ,p,pr, accepted) A 
(s 7^ accepted -)• ^MO'(m' ,p,pr,s))))) 

Hence, the interpretation of the relation PC? in _D S / extends D s (PO) with the tuple (id,pc, b, prepared), 
where id is a fresh id. The tuples for the material orders m and m! are updated in D s /(MO) by 
becoming (m,p,pr, submitted) and (m',p',pr', accepted), respectively. In view of the second 
condition on r t c in Definition 6.3, no other elements are changed in the transition. Finally, notice 
that these extensions are indeed the interpretations of PO and MO in D s i . Thus, the operational 
semantics satisfies the intended meaning of actions. 

We can now investigate properties of the AC program ACP Q t c by using specifications in FO- 
CTLK. For instance, the following formula specifies that the manufacturer m knows that each ma- 
terial order MO has to match a corresponding purchase order PO: 

Vmatch = AGVid,pc(3pr,s MO(id,pc,pr,s) -> K m 3o,s'PO(id,pc,o,s')) 

The next specification states that given a material order MO, the customer will eventually know 
that the corresponding PO will be shipped. 

^fulfil = AGVid,pc (3pr,s MO(id,pc,pr, s) — > EF K c 3o PO(id,pc, o, shipped)) 

Further, we may be interested in checking whether budget and costs are always kept secret from 
the supplier s and the customer c respectively, and whether the customer (resp., the supplier) knows 
this fact: 

f budget = K c Vpc AG -.36 K s Products(pc, b) 
(fcost = Ks Vmc AG -i3c K c Mater ials(mc, c) 

Other interesting specifications describing properties of the artifact system and the agents oper- 
ating in it can be similarly formalised in FO-CTLK, thereby providing the engineer with a valuable 
tool to assess the implementation. 

We now proceed to exploit the methodology of Section 6 to verify the AC program ACP t p . 
We use ipmatch as an example specification; analogous results can be obtained for other formulas. 
Observe that according to Definition 6.3 the AC-MAS induced by ACP Q t p has infinitely many 
states. 
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We assume two interpretations for the relations Products and Materials, which determine an 
initial state Dq. Consider the maximum number max of parameters and the constants Cq in the 
operations in $7 C , $7 m and Sl s . In the case under analysis we have that max = 2. We earlier remarked 
that formulas such as in the postcondition of actions force the AC-MAS Vote corresponding to 
ACP otc is bounded. Here we have that V otc is 6-bounded. According to Corollary 4. 14, we can 
therefore consider a finite domain U' such that 

U' D -D U Cn U const(Lp match ) 

Do(Products) U D (Materials) U Cq 

and such that 

\U'\ > 2b + |Do| + \Cq\ + \const((p mat ch)\ + max 
= 2b+\D \ + \C n \ + 2 

For instance, we can consider any subset U' of U otc satisfying the conditions above. Given that U' 
satisfies the hypothesis of Theorem 6.7, it follows that the AC program ACP t c over U otc satisfies 
(f 'match if and only if ACP Q t c over U' does. But the AC-MAS induced by the latter is a finite-state 
system, which can be constructively built by running the AC program ACP a t c on the elements in 
U' . Thus, ACP tc \= <Pmatch is a decidable instance of model checking that can be therefore solved 
by means of standard techniques. 

A manual check on the finite model indeed reveals that (p m atch , ^Pbudget and (f CO st are satisfied 
in the finite model, whereas fulfil is not. By Corollary 4.14 the AC -MAS Vote induced by ACP t P 
satisfies the same specifications. Hence, in view of Definition 6.5, we conclude that the artifact- 
centric program ACP otp satisfies (fmatch, ^budget and ip cost but does not satisfy if fulfil- This is 
entirely in line with our intuitions of the scenario. 

8. Conclusions and Future Work 

In this paper we put forward a methodology for verifying agent-based artifact-centric systems. We 
proposed AC-MAS, a novel semantics incorporating first-order features, that can be used to rea- 
son about multi-agent systems in an artifact-centric setting. We observed that the model checking 
problem for these structures against specifications given in a first-order temporal-epistemic logic is 
undecidable and proceeded to identify suitable fragments for which decidability can be retained. 

We identified two orthogonal solutions to this issue. In the former we operated a restriction 
to the specification language and showed that, by limiting ourselves to sentence-atomic temporal- 
epistemic specifications, infinite-state, bounded AC-MAS admit finite abstractions. In the latter we 
kept the full first-order temporal-epistemic logic but identified the noteworthy subset of uniform 
AC-MAS. In this setting we showed that bounded uniform AC-MAS admit finite abstractions. The 
abstractions we identified in each setting depend on novel notions of bisimulation at first-order that 
we proposed. 

We explored the complexity of the model checking problem in this context and showed this to 
be EXPSPACE-complete. While this is obviously a hard problem, we need to consider that these 
are first-order structures which normally lead to undecidable problems. We were also reassured by 
the fact that the abstract interpretation domain is actually linear in the size of the bound considered. 
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Mindful of the practical needs for verification in artifact- centric systems, we then explored how 
finite abstractions can actually be built. To this end, rather than investigating one specific data- 
centric language, we defined a general class of declarative artifact-centric programs. We showed 
that these systems admit uniform AC-MAS as their semantics. Under the assumption of bounded 
systems we showed that model checking these multi-agent system programs is decidable and gave 
a constructive procedure operating on bisimilar, finite models. While the results are general, they 
can be instantiated for various artifact-centric languages. For instance (Belardinelli et al., 2012b) 
explores finite abstractions of GSM programs by using these results. 

We exemplified the methodology put forward on a use-case consisting of several agents pur- 
chasing and delivering products. While the system has infinitely many states we showed it admits a 
finite abstraction that can be used to verify a variety of specifications on the system. 

A question left open in the present paper is whether the uniform condition we provided is tight. 
While we showed this to be a sufficient condition, we did not explore whether this is necessary for 
finite abstractions or whether more general properties can be given. In this context it is of interest 
that artifact-centric programs generate uniform structures. Also, it will be worthwhile to explore 
whether a notion related to uniformity can be applied to other domains in AI, for example to retain 
decidability of specific calculi. This would appear to be the case as preliminary studies in the 
Situation Calculus demonstrate (De Giacomo, Lesperance, & Patrizi, 2012). 

On the application side, we are also interested in exploring ways to use the results of this paper 
to build a model checker for artifact-centric MAS. Previous efforts in this area, including (Gonzalez, 
Griesmayer, & Lomuscio, 2012), are limited to finite state systems. It would therefore be of great 
interest to construct finite abstractions on the fly to check practical e-commerce scenarios such as 
the one here discussed. 
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